ERserver. Tips and Tools for Securing Your iseries. iseries. Version 5 SC41-5300-06

ERserer iseries Tips and Tools for Securing Your iseries Version 5 SC41-5300-06

ERserer iseries Tips and Tools for Securing Your iseries Version 5 SC41-5300-06

Note Before using this information and the product it supports, be sure to read the information in the Security Basic articles found on-line in the Information Center. The Internet URL address is http://www.ibm.com/eserer/iseries/infocenter. Seenth Edition (August 2002) This edition replaces SC41-5300-05. This edition applies only to V4R5 and subsequent ersions of OS/400. Copyright International Business Machines Corporation 1996, 2002. All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Figures.............. ii Tables............... ix About Tips and Tools for Securing your iseries (SC41-5300-06)........ xi Who should read this book......... xi How to use this information......... xii Prerequisite and related information...... xii iseries Naigator............ xiii How to send your comments........ xiii Part 1. What s new for V5R2..... 1 Chapter 1. iseries security enhancements............ 3 Part 2. Basic iseries security.... 5 Chapter 2. Basic elements of iseries security............... 7 Security leels.............. 7 Global settings.............. 8 User profiles.............. 8 Group profiles.............. 9 Resource security............. 9 Limit access to program function....... 9 Security audits............. 11 Example: System security attributes report.... 11 Chapter 3. iseries Security Wizard and Security Adisor.......... 15 Security Wizard............. 15 Security Adisor............. 17 Chapter 4. Control interactie sign-on 19 Set password rules............ 19 Password leels............. 20 Plan password leel changes....... 20 Change known passwords......... 25 Set sign-on alues............ 26 Change sign-on error messages........ 27 Schedule aailability of user profiles...... 28 Remoe inactie user profiles........ 29 Disable user profiles automatically..... 29 Remoe user profiles automatically..... 29 Aoid default passwords.......... 30 Monitor sign-on and password actiity..... 30 Store password information......... 31 Chapter 5. Configure the iseries to use Security Tools........... 33 Operate Security Tools securely........ 33 Aoid file conflicts............ 33 Sae Security Tools............ 34 Commands and menus for security commands.. 34 Security Tools menu options........ 34 Use the Security Batch menu....... 36 Commands for customizing security..... 41 Values set by the Configure System Security command.............. 42 Functions of the Reoke Public Authority command.............. 44 Part 3. Adanced iseries security 47 Chapter 6. Protect information assets with object authority......... 49 Object authority enforcement........ 49 Menu security............. 49 Limitations of menu access control..... 50 Enhance menu access control with object security 50 Example: Set up a transition enironment... 51 Use library security to complement menu security............... 53 Configure object ownership......... 53 Object authority to system commands and programs 53 Audit security functions.......... 54 Analyze user profiles.......... 54 Analyze object authorities........ 56 Check for altered objects......... 56 Analyze programs that adopt authority.... 57 Manage the audit journal and journal receiers 57 Chapter 7. Manage authority..... 59 Monitor public authority to objects...... 59 Manage authority for new objects....... 60 Monitor authorization lists......... 60 Use authorization lists.......... 61 Accessing Policies in iseries Naigator.... 62 Monitor priate authority to objects...... 63 Monitor access to output and job queues.... 63 Monitor special authorities......... 64 Monitor user enironments......... 65 Manage serice tools........... 66 Chapter 8. Use logical partitions security (LPAR)........... 69 Manage security for logical partitions...... 70 Chapter 9. iseries Operations Console 71 Operations Console security oeriew..... 72 Console deice authentication....... 72 User authentication........... 72 Data priacy............. 72 Data integrity............. 73 Copyright IBM Corp. 1996, 2002 iii

Use Operations Console with LAN connectiity.. 73 Protect Operations Console with LAN connectiity 73 Use the Operations Console setup wizard.... 73 Chapter 10. Detect suspicious programs............. 75 Protect against computer iruses....... 75 Monitor usage of adopted authority...... 77 Limit the use of adopted authority...... 77 Preent new programs from using adopted authority.............. 78 Monitor usage of trigger programs...... 80 Check for hidden programs......... 81 Ealuate registered exit programs....... 82 Check scheduled programs......... 83 Restrict Sae and Restore capability...... 83 Check for user objects in protected libraries... 84 Chapter 11. Preent and detect hacking attempts.............. 85 Physical security............. 85 Monitor user profile actiity......... 85 Object signing............. 86 Monitor subsystem descriptions....... 87 Autostart job entries........... 87 Workstation names and workstation types.... 88 Job queue entries............ 88 Routing entries............. 88 Communications entries and remote location names 88 Prestart job entries............ 89 Jobs and job descriptions.......... 89 Architected transaction program names..... 90 Architected TPN requests......... 91 Methods for Monitoring Security Eents..... 92 Part 4. Applications and network communications.......... 95 Chapter 12. Use Integrated File System to secure files........... 97 The Integrated File System approach to security.. 97 Root (/), QOpenSys, and user-defined file systems 99 How authority works.......... 99 Print priate authorities objects (PRTPVTAUT) command.............. 101 Print publicly authorized objects (PRTPUBAUT) command.............. 102 Restrict access to the QSYS.LIB file system... 103 Secure directories............ 104 Security for new objects.......... 104 Use the Create Directory command..... 104 Create a directory with an API...... 105 Create a stream file with the open() or creat() API................ 105 Create an object by using a PC interface... 105 QFileSr.400 file system.......... 105 Network file system........... 106 Chapter 13. Secure APPC communications.......... 109 APPC Terminology........... 109 Basic elements of APPC communications.... 110 Example: A basic APPC session....... 110 Restrict APPC sessions......... 110 APPC user access to the target system..... 111 System methods for sending information about a user............... 111 Options for diiding network security responsibility............ 112 Target system assignment of user profiles for jobs 113 Display station passthrough options...... 114 Aoid unexpected deice assignments..... 116 Control remote commands and batch jobs.... 116 Ealuate your APPC configuration...... 116 Releant parameters for APPC deices.... 117 Parameters for APPC controllers...... 119 Parameters for line descriptions...... 120 Chapter 14. Secure TCP/IP communications.......... 121 Preent TCP/IP processing......... 121 TCP/IP security components........ 121 Use packet rules to secure TCP/IP traffic... 122 HTTP proxy serer.......... 122 Virtual Priate Networking (VPN)..... 122 Secure Sockets Layer (SSL)........ 123 Secure your TCP/IP enironment...... 123 Control which TCP/IP serers start automatically............ 124 Security considerations for using SLIP..... 125 Control dial-in SLIP connections...... 126 Control dial-out sessions........ 128 Security considerations for point-to-point protocol 129 Security considerations for using Bootstrap Protocol serer............. 130 Preent BOOTP Access......... 130 Secure the BOOTP serer........ 131 Security considerations for using DHCP serer.. 131 Preent DHCP access.......... 132 Secure the DHCP serer......... 132 Security considerations for using TFTP serer.. 133 Preent TFTP access.......... 133 Secure the TFTP serer......... 134 Security considerations for using REXEC serer 135 Preent REXEC access......... 135 Secure the REXEC serer........ 135 Security considerations for using RouteD.... 136 Security considerations for using DNS serer... 136 Preent DNS access.......... 136 Secure the DNS serer......... 137 Security considerations for using HTTP serer for iseries................ 138 Preent HTTP access.......... 138 Control access to the HTTP serer..... 139 Security considerations for using SSL with IBM HTTP Serer for iseries......... 143 Security considerations for LDAP...... 144 Security considerations for LPD....... 144 i Tips and tools for securing your iseries serer V5R2

Preent LPD access.......... 144 Control LPD access.......... 145 Security considerations for SNMP...... 145 Preent SNMP access.......... 145 Control SNMP access.......... 146 Security considerations for INETD serer.... 147 Security considerations for limiting TCP/IP roaming............... 148 Chapter 15. Secure workstation access.............. 149 Preent workstation iruses........ 149 Secure workstation data access....... 149 Object authority with workstation access... 150 Application Administration........ 151 Use SSL with iseries Access for Windows... 152 iseries Naigator security........ 152 Preent ODBC access........... 153 Security considerations for workstation session passwords.............. 153 Protect the serer from remote commands and procedures.............. 154 Protect workstations from remote commands and procedures.............. 155 Gateway serers............ 155 Wireless LAN communications....... 156 Chapter 16. Security exit programs 159 Chapter 17. Security considerations for Internet browsers........ 161 Risk: workstation damage......... 161 Risk: access to iseries directories through mapped dries................ 161 Risk: trusted signed applets........ 162 Chapter 18. Related information... 163 Notices.............. 165 Trademarks.............. 167 Index............... 169 Contents

i Tips and tools for securing your iseries serer V5R2

Figures 1. System Security Attributes Report-Sample 12 2. Schedule Profile Actiation Display Sample 28 3. Priate Authorities Report for Authorization Lists............... 60 4. Display authorization list objects report 61 5. User information report: Example 1.... 64 6. User information report: Example 2.... 65 7. Print user profile-user enironment example 66 8. Work with Registration Information-Example 82 9. APPC Deice Descriptions-Sample Report 117 10. Configuration List Report-Example.... 117 11. APPC Controller Descriptions-Sample Report 119 12. APPC Line Descriptions-Sample Report 120 13. iseries system with a gateway serer 155 Copyright IBM Corp. 1996, 2002 ii

iii Tips and tools for securing your iseries serer V5R2

Tables 1. System Values for Passwords....... 19 2. Passwords for IBM-supplied profiles.... 25 3. Passwords for dedicated serice tools.... 26 4. Sign-on system alues......... 26 5. Sign-on error messages......... 27 6. Tool commands for user profiles..... 34 7. Tool commands for security auditing.... 36 8. Commands for security reports...... 37 9. Commands for customizing your system 41 10. Values set by the CFGSYSSEC command 42 11. Commands whose public authority is set by the RVKPUBAUT command....... 44 12. Programs whose public authority is set by the RVKPUBAUT command........ 44 13. Encryption results.......... 71 14. Use Adopted Authority (USEADPAUT) Example............. 78 15. System-Proided Exit Programs...... 81 16. Exit points for user profile actiity..... 85 17. Programs and users for TPN requests.... 91 18. Security alues in the APPC architecture 111 19. How the APPC security alue and the SECURELOC alue work together.... 113 20. Possible alues for the default user parameter 114 21. Sample pass-through sign-on requests 114 22. How TCP/IP commands determine which serers to start........... 124 23. Autostart alues for TCP/IP serers.... 125 24. Sources of Sample Exit Programs..... 159 Copyright IBM Corp. 1996, 2002 ix

x Tips and tools for securing your iseries serer V5R2

About Tips and Tools for Securing your iseries (SC41-5300-06) Who should read this book The role of computers in organizations is changing rapidly. IT managers, software proiders, security administrators, and auditors need to take a new look at many areas that they hae taken for granted in the past. iseries security should be on that list. Systems are proiding many new functions that are astly different from traditional accounting applications. Users are entering systems in new ways: LANs, switched lines (dial-up), wireless, networks of all types. Often, users neer see a sign-on display. Many organizations are expanding to become an extended enterprise, either with proprietary networks or with the Internet. Suddenly, systems seem to hae a whole new set of doors and windows. Systems managers and security administrators are justifiably concerned about how to protect information assets in this rapidly changing enironment. This information proides a set of practical suggestions for using the security features of iseries and for establishing operating procedures that are security-conscious. The recommendations in this information apply to an installation with aerage security requirements and exposures. This information does not proide a complete description of the aailable iseries security features. If you want to read about additional options or you need more complete background information, consult the publications that are described in Chapter 18, Related information on page 163. This information also describes how to set up and use security tools that are part of OS/400. Chapter 5, Configure the iseries to use Security Tools on page 33 and Commands and menus for security commands on page 34 proide reference information about the security tools. This information proides examples for using the tools. A security officer or security administrator is responsible for the security on a system. That responsibility usually includes the following tasks: Setting up and managing user profiles Setting system-wide alues that affect security Administering the authority to objects Enforcing and monitoring the security policies If you are responsible for security administration for one or more iseries systems, this information is for you. The instructions in this information assume the following: You are familiar with basic iseries operating procedures, such as signing on and using commands. You are familiar with the basic elements of iseries security: security leels, security system alues, user profiles, and object security. Copyright IBM Corp. 1996, 2002 xi

Note: Chapter 2, Basic elements of iseries security on page 7 proides a reiew of these elements. If these basic elements are new to you, then read the Basic security and planning topic in the iseries Information Center. See Prerequisite and related information for more details. You hae actiated security on your system by setting the security leel (QSECURITY) system alue to at least 30. How to use this information IBM continually enhances the security capabilities of iseries. To take adantage of these enhancements, you should regularly ealuate the cumulatie fix package that is currently aailable for your release. See if it contains fixes that are releant to security. If you hae not set up your system to use the security tools or if you had the Security ToolKit for OS/400 installed for an earlier release, do the following: 1. Start with Chapter 3, iseries Security Wizard and Security Adisor on page 15. It describes how to use these features to select which security tools are recommended and how to get started with them. 2. For more basic security information, you can reiew the Security Reference information, located on-line in the iseries Information Center. Note This information has many tips for securing iseries. Your system may only need protection in some areas. Use this information to educate yourself on possible security exposures and their remedies. Then focus your efforts on the areas that are most critical for your system. Prerequisite and related information Use the iseries Information Center as your starting point for looking up iseries technical information. You can access the Information Center two ways: From the following Web site: http://www.ibm.com/eserer/iseries/infocenter From CD-ROMs that ship with your Operating System/400 order: iseries Information Center, SK3T-4091-02. This package also includes the PDF ersions of iseries Information Center manuals, iseries Information Center: Supplemental Manuals, SK3T-4092-01, which replaces the Softcopy Library CD-ROM. The iseries Information Center contains adisors and topics such as Jaa, TCP/IP, Web sering, secured networks, logical partitions, clustering, CL commands, and system application programming interfaces (APIs). It also includes links to related IBM Redbooks and Internet links to other IBM Web sites such as the Technical Studio and the IBM home page. With eery new hardware order, you receie the iseries Setup and Operations CD-ROM, SK3T-4098-01. This CD-ROM contains IBM iseries Access for Windows and the EZ-Setup wizard. IBM iseries Access for Windows offers a powerful set of xii Tips and tools for securing your iseries serer V5R2

iseries Naigator How to send your comments client and serer capabilities for connecting PCs to iseries serers. The EZ-Setup wizard automates many of the iseries setup tasks. IBM iseries Naigator is a powerful graphical interface for managing your iseries serers. iseries Naigator functionality includes system naigation, configuration, planning capabilities, and online help to guide you through your tasks. iseries Naigator makes operation and administration of the serer easier and more productie and is the only user interface to the new, adanced features of the OS/400 operating system. It also includes Management Central function for managing multiple serers from a central system. You can find more information on iseries Naigator in the iseries Information Center and at the following Web site: http://www.ibm.com/eserer/iseries/naigator/ Your feedback is important in helping to proide the most accurate and high-quality information. If you hae any comments about this book or any other iseries documentation, fill out the readers comment form at the back of this book. If you prefer to send comments by mail, use the readers comment form with the address that is printed on the back. If you are mailing a readers comment form from a country other than the United States, you can gie the form to the local IBM branch office or IBM representatie for postage-paid mailing. If you prefer to send comments by FAX, use either of the following numbers: United States, Canada, and Puerto Rico: 1-800-937-3430 Other countries: 1-507-253-5192 If you prefer to send comments electronically, use one of these e-mail addresses: Comments on books: RCHCLERK@us.ibm.com Comments on the iseries Information Center: RCHINFOC@us.ibm.com Be sure to include the following: The name of the book or iseries Information Center topic. The publication number of a book. The page number or topic of a book to which your comment applies. About Tips and Tools for Securing your iseries (SC41-5300-06) xiii

xi Tips and tools for securing your iseries serer V5R2

Part 1. What s new for V5R2 This is the seenth edition of this information. This edition supports the ersions V4R5 and subsequent ersions of OS/400. New iseries security features are highlighted in this section. Minor technical and wording changes hae been made throughout this book. A ertical line () to the left of the text indicates a substantial change or addition. Copyright IBM Corp. 1996, 2002 1

2 Tips and tools for securing your iseries serer V5R2

Chapter 1. iseries security enhancements The following security enhancements are now aailable on the iseries serer: 1. Single sign-on enablement:to enable a single sign-on enironment, IBM proides two technologies that work together to allow users to sign in with their Windows username and password and be authenticated to iseries systems in the network: a. Enterprise Identity Mapping (EIM): EIM proides the mechanics for cross-platform single sign-on enablement. EIM proides a mechanism for associating Kerberos principals to a single EIM identifier that represents that user within the entire enterprise. Other user identities, such as an OS/400 username, can also be associated with this EIM identifier. b. Network Authentication Serice (NAS): NAS allows an iseries system that is being used in the capacity of centralized serer, or a key distribution center, to authenticate principals (Kerberos users) to the network. 2. Independent auxiliary storage pool (ASP): Also referred to as an independent disk pool, an ASP is a collection of disk units that can be brought online or taken offline independent of the rest of the storage on a system, including the system disk pool, basic user disk pools, and other independent disk pools. 3. CHGSYSVAL CL command: This command restricts the changing of security-related system alues, and the addition of digital certificates to a digital certificate store using the Add Verifier API and restricting digital certificate stores from haing their passwords reset. See Chapter 3 of the IBM Security Reference for more information on using this command. 4. Cryptographic hardware: IBM now offers two cryptographic hardware solutions for customers that require a high leel of security for data stored on their iseries, and for SSL transactions. You can use the new IBM 2058 Cryptographic Accelerator to improe iseries serer performance by rerouting the processing of priate keys away from the system processors. This hardware option is an excellent choice for iseries implementations that handle high olumes of Secure Sockets Layer (SSL) transactions. Also, there are two new capabilities for the 4758 Cryptographic Coprocessor: unique key per transaction (UKPT) for financial pin processing and Common Cryptographic Architecture (CCA) 2.4. Copyright IBM Corp. 1996, 2002 3

4 Tips and tools for securing your iseries serer V5R2

Part 2. Basic iseries security Copyright IBM Corp. 1996, 2002 5

6 Tips and tools for securing your iseries serer V5R2

Chapter 2. Basic elements of iseries security Security leels This topic proides a brief reiew of the basic elements that work together to proide iseries security. In other parts of this book we go beyond the basics to proide tips for using these security elements to meet the needs of your organization. You can choose how much security you want the system to enforce by setting the security leel (QSECURITY) system alue. The system offers fie leels of security: Leel 10: The system does not enforce any security. No password is necessary. If the specified user profile does not exist on the system when someone signs on, the system creates one. ATTENTION: Beginning in V4R3 and future releases, you cannot set the QSECURITY system alue to 10. If your system is currently at security leel 10, it will remain at leel 10 when you install Version 4 Release 3. If you change the security leel to some other alue, you cannot change it back to leel 10. Because leel 10 proides no security protection, security leel 10 is not recommended by IBM. IBM will not proide support for any problems that occur at security leel 10 unless the problem can also be created at a higher security leel. Leel 20: The system requires a user ID and password for signing on. Security leel 20 is often referred to as sign-on security.by default, all users hae access to all objects because all users hae *ALLOBJ special authority. Leel 30: The system requires a user ID and password for signing on. Users must hae authority to use objects because users do not hae any authority by default. This is called resource security. Leel 40: The system requires a user ID and password for signing on. In addition to resource security, the system proides integrity protectionfunctions. Integrity protection functions, such as the alidation of parameters for interfaces to the operating system, are intended to protect both your system and the objects on your system from tampering by experienced system users. For most installations, leel 40 is the recommended security leel. When you receie a new iseries system with V4R5 or later release, the security leel is set to 40. Leel 50: The system requires a user ID and password for signing on. The system enforces both resource security and the integrity protection of leel 40,but adds enhanced integrity protection, such as the restriction of Copyright IBM Corp. 1996, 2002 7

Global settings message-handling between system state programs and user state programs. Security leel 50 is intended for iseries systems with high security requirements. Note: Leel 50 is the required leel for C2 certification (and FIPS-140 certification). Chapter 2 of the iseries Security Reference book proides more information about the security leels and describes how to moe from one security leel to another. Your system has global settings that affect how work enters the system and how the system appears to other system users. These settings include the following: Security system alues: Security system alues are used to control security on your system. These alues are broken into four groups: General security system alues Other system alues related to security System alues that control passwords System alues that control auditing Seeral topics in this book discuss the security implications of specific system alues. Chapter 3 in the iseries Security Reference book describes all the security-releant system alues. Network attributes: Network attributes control how your system participates (or chooses not to participate) in a network with other systems. You can read more about network attributes in the Work Management book. Subsystem descriptions and other work management elements: Work management elements determine how work enters the system and what enironment the work runs in. Seeral topics in this information discuss the security implications of some work management alues. The Work Management book proides complete information. Communications configuration: Your communications configuration also affects how work enters your system. Seeral topics in this information proide suggestions for protecting your system when it participates in a network. User profiles Eery system user must hae a user profile. You must create a user profile before a user can sign on.user profiles can also be used to control access to serice tools such as DASD and main storage dumps. See Manage serice tools on page 66 for more information. The user profile is a powerful and flexible tool. It controls what the user can do and customizes the way the system appears to the user. The iseries Security Reference book describes all the parameters in the user profile. 8 Tips and tools for securing your iseries serer V5R2

Group profiles Resource security A group profile is a special type of user profile. You can use a group profile to define authority for a group of users, rather than giing authority to each user indiidually. You can also use a group profile as a pattern when you create indiidual user profiles by using the copy-profile function or if you use iseries Naigator you can use the security policies menu to edit user authorities. Chapter 5 and Chapter 7 in the iseries Security Reference book proide more information about planning and using group profiles. Resource security on the system allows you to define who can use objects and how those objects can be used. The ability to access an object is called authority. When you set up object authority, you can need to be careful to gie your users enough authority to do their work without giing them the authority to browse and change the system. Object authority gies permissions to the user for a specific object and can specify what the user is allowed to do with the object. An object resource can be limited through specific detailed user authorities, such as adding records or changing records. System resources can be used to gie the user access to specific system-defined subsets of authorities: *ALL, *CHANGE, *USE, and *EXCLUDE. Files, programs, libraries, and directories are the most common system objects that require resource security protection, but you can specify authority for any indiidual object on the system. Chapter 6, Protect information assets with object authority discusses the importance of setting up object authority on your system. Chapter 5 of the iseries Security Reference book describes the options for setting up resource security. Limit access to program function The limit access to program function allows you to proide security for the program when you do not hae an iseries object to secure for the program. Before the limit access to program function support was added in V4R3, you could accomplish this by creating an authorization list or other object, and checking the authority to the object to control access to the program function. Now you can use the limit access to program function to more easily control access to an application, parts of an application, or functions within a program. There are two methods that you can use to manage user access to application functions through iseries Naigator. The first uses Application Administration support: 1. Right-click the system that contains the function whose access setting you want to change. 2. Select Application Administration. 3. If you are on an administration system, select Local Settings. Otherwise, continue with the next step. 4. Select an administrable function. 5. Select Default Access, if applicable. By selecting this, you allow all users to access the function by default. Chapter 2. Basic elements of iseries security 9

6. Select All Object Access, if applicable. By selecting this, you allow all users with all object system prielege to access this function. 7. Select Customize, if applicable. use the Add and Remoe buttons on the Customize Access dialog to add or remoe users or groups in the Access allowed and Access denied lists. 8. Select Remoe Customization, if applicable. By selecting this, you delete any customized access for the selected function. 9. Click OK to close the Application Administration dialog. The second method of managing user access inoles iseries Naigator s Users and Groups support: 1. In iseries Naigator, expand Users and Groups. 2. Select All Users, Groups, orusers Not in a Group to display a list of users and groups. 3. Right-click a user or group, and select Properties. 4. Click Capabilities. 5. Click the Applications tab. 6. Use this page to change the access setting for a user or group. 7. Click OK twice to close the Properties dialog. See iseries Naigator security on page 152 for more information on iseries Naigator security issues. If you are an application writer, you can use limit access to program function APIs to do the following: Register a function Retriee information about the function Define who can or cannot use the function Check to see if the user is allowed to use the function Note: This support is not a replacement for resource security. Limit access to program function does not preent a user from accessing a resource (such as a file or program) from another interface. To use this support within an application, the application proider must register the functions when the application is installed. The registered function corresponds to a code block for specific functions in the application. When the application is run by the user, the application calls the API before the application calls the code block. The API calls the check usage API to see if the user is allowed to use the function. If the user is allowed to use the registered function, the code block is run. If the user is not allowed to use the function, the user is preented from running the code block. Note: API s inole registering a 30 character function ID in the registration data base (WRKREGINF). Although there are no exit points related to function IDs used by the limit access to function APIs, it is required to hae exit points. To register anything in the registry, you must supply an exit point format name. To do this the Register Function API creates a dummy format name and uses this dummy format name for all functions that are registered. Because this is a dummy format name, no exit point program is eer called. 10 Tips and tools for securing your iseries serer V5R2

Security audits The system administrator specifies who is allowed or denied access to a function. The administrator can either use the API to manage the access to program function or use the iseries Naigator Application Administration GUI. The iseries serer API Reference book proides information about the limit access to program function API s. For additional information about controlling access to functions, see iseries Naigator security on page 152. People audit their system security for seeral reasons: To ealuate whether the security plan is complete. To make sure that the planned security controls are in place and working. This type of auditing is usually performed by the security officer as part of daily security administration. It is also performed, sometimes in greater detail, as part of a periodic security reiew by internal or external auditors. To make sure that system security is keeping pace with changes to the system enironment. Some examples of changes that affect security are: New objects created by system users New users admitted to the system Change of object ownership (authorization not adjusted) Change of responsibilities (user group changed) Temporary authority (not timely reoked) New products installed To prepare for a future eent, such as installing a new application, moing to a higher security leel, or setting up a communications network. The techniques described here are appropriate for all these situations. Which things you audit and how often depends on the size and security needs of your organization. Security auditing inoles using commands on your system and accessing log and journal information. You can create a special profile to be used by someone doing a security audit of your system. The auditor profile needs *AUDIT special authority to change the audit characteristics of the system. Some of the auditing tasks suggested in this chapter require a user profile with *ALLOBJ and *SECADM special authority. Set the password for the auditor profile to *NONE when the audit period has ended. For more details on security auditing see Chapter 9, of the Security Reference book. Example: System security attributes report Figure 1 on page 12 shows an example of the output from the Print System Security Attributes (PRTSYSSECA) command. The report shows the settings for security-releant system alues and network attributes that are recommended for systems with normal security requirements. It also shows the current settings on your system. Note: The Current Value column on the report shows the current setting on your system. Compare this to the recommended alue to see where you may hae security exposures. Chapter 2. Basic elements of iseries security 11

System Security Attributes System Value Name Current alue Recommended alue QALWOBJRST *NONE *NONE QALWUSRDMN *ALL QTEMP QATNPGM QEZMAIN QSYS *NONE QAUDENDACN *NOTIFY *NOTIFY QAUDFRCLVL *SYS *SYS QAUDCTL *AUDLVL *AUDLVL *OBJAUD QAUDLVL *SECURITY *AUTFAIL *CREATE *DELETE *SECURITY *SAVRST *NOQTEMP Figure 1. System Security Attributes Report-Sample (Part 1 of 4) QAUTOCFG 0 0 QAUTORMT 1 0 QAUTOVRT 9999 0 QCMNRCYLMT 0 0 0 0 QCRTAUT *CHANGE Control at library leel. QCRTOBJAUD *NONE Control at library leel. QDEVRCYACN *DSCMSG *DSCMSG QDSCJOBITV 120 120 QDSPSGNINF 1 1 QINACTITV 60 60 QINACTMSGQ *ENDJOB *ENDJOB QLMTDEVSSN 0 1 QLMTSECOFR 0 1 QMAXSGNACN 2 3 QMAXSIGN 3 3 Figure 1. System Security Attributes Report-Sample (Part 2 of 4) QPWDEXPITV 60 60 QPWDLMTAJC 1 1 QPWDLMTCHR *NONE AEIOU@$# QPWDLMTREP 1 2 QPWDLVL 0 QPWDMAXLEN 8 8 QPWDMINLEN 6 6 QPWDPOSDIF 1 1 QPWDRQDDGT 1 1 QPWDRQDDIF 0 1 QPWDVLDPGM *NONE *NONE QRETSVRSEC 0 0 QRMTIPL0 0 QRMTSIGN *FRCSIGNON *FRCSIGNON QSECURITY 50 50 QSHRMEMCTL1 0 QSRVDMP *DMPUSRJOB *NONE QUSEADPAUT *NONE CRTAUTL AUTL(QUSEADPAUT) AUT(*EXCLUDE) CHGOBJOWN OBJ(QUSEADPAUT) OBJTYPE(*AUTL) CHGSYSVAL SYSVAL(QUSEADPAUT) VALUE(QUSEADPAUT) QVFYOBJRST 1 3 Figure 1. System Security Attributes Report-Sample (Part 3 of 4) 12 Tips and tools for securing your iseries serer V5R2

System Security Attributes Network Attribute Name Current alue Recommended alue DDMACC *OBJAUT *REJECT JOBACN *FILE *REJECT PCSACC *OBJAUT *REJECT Figure 1. System Security Attributes Report-Sample (Part 4 of 4) Chapter 2. Basic elements of iseries security 13

14 Tips and tools for securing your iseries serer V5R2

Chapter 3. iseries Security Wizard and Security Adisor Security Wizard iseries serer Security Wizard and Security Adisor tools can help you decide what security alues to put into effect on your iseries serer. Using the iseries serer Security Wizard in iseries Naigator you will produce reports that reflect your security needs based on your selected answers. You can then use this to configure your system security. Use the iseries Security Wizard or the iseries Security Adisor to help you plan for and implement a basic security policy for your iseries serers. The goal of both tools is to make it easier for you to implement and manage security on your systems. The wizard, which is aailable as part of OS/400, asks you seeral high-leel questions about your serer enironment, and based on your answers, proides you with a set of recommendations that the wizard can apply to your system right away. The Security Adisor is the on-line ersion of the Security Wizard. Located in our Technical Studio, it allows you to select your choices based on your security needs and then gies you a report suggesting what features are needed to secure your site. The iseries Security Adisor is a Web-based ersion of the wizard. It proides recommendations for implementing security on your system, just as the wizard does. Howeer, the adisoer can not apply the recommendations. Rather, it outputs a list of system security alues and other attributes that you should apply on your system, based on your answers to the adisor s questions. You can access the iseries Security Adisor from the Technical Studio home page: http://www.iseries.ibm.com/tstudio/secure1/adisor/secwiz.htm Deciding which iseries security system alues you should use for your business can be perplexing. If you are new to security implementation on iseries serers, or the enironment in which you run your iseries serer has recently changed, the Security Wizard can help you with decisions. What is a wizard? A wizard is a tool designed to be run by a noice user to install or configure something on a system. The wizard prompts the user for information by asking questions. The response to each question determines what question is asked next. When the wizard has asked all the questions, the user is presented with a finish dialog. The user then pushes the Finish button to install and configure the item. Security Wizard goals The goal of the Security Wizard is to configure, based on a user s responses the following. Security related system alues and network attributes Security related reporting for monitoring the system. To generate an Administrator Information Report and a User Information Report: Copyright IBM Corp. 1996, 2002 15

The Administrator Information Report contains recommended security settings and any procedures that should be followed prior to putting the recommendations into effect. The User Information Report contains information that can be used for the business security policy. For example, password compositions rules are included in this report. To proide recommended settings for arious security-related items on the system. Security Wizard objecties The objecties of the Security Wizard are: To determine what the system security settings should be, based on the users answers to the wizard s questions, then implement the settings when appropriate. The wizard produces detailed information reports including the following. - Report explaining the Wizard s recommendations. - Report detailing the procedures that should be followed before implementation. - Report listing releant information to be distributed to the users of the system. These items put basic security policy into effect on your system. The wizard recommends audit journal reports that you should schedule to run periodically. When scheduled, these reports help: Ensure that security policies are followed. Ensure that security policies are only changed with your approal. Schedule reports to monitor security-related eents on your system. The wizard allows you to sae the recommendations or to apply some or all of the recommendations to your system. Note: The Security Wizard can be used more than once on the same system to allow users who may hae an older installation to reiew their current security. The Security Wizard can be used from a V3R7 system (when iseries Naigator was introduced) upwards. To use iseries iseries Naigator, you must hae IBM iseries Access for Windows installed on your Windows 95/NT PC and hae an iseries serer connection from that PC. The user of the Wizard must be connected to an iseries serer. The user must hae a user ID that has *ALLOBJ, *SECADM, *AUDIT and *IOSYSCFG special authority. For help in connecting your Windows 95/NT PC to your iseries system, consult the IBM iseries Access for Windows topic in the Information Center (see Prerequisite and related information on page xii for details). To access the Security Wizard, do the following: 1. In iseries Naigator, expand your serer. 2. Right-click Security, and select Configure. When a user starts the Security option of the iseries Naigator a request is sent to the iseries serer to check the user s special authority. Should the user not hae all of the required special authority (*ALLOBJ, *AUDIT, *IOSYSCFG, *SECADM) then they will not see the Configure option and not be able to access the Security Wizard. 3. Assuming the user has the required authority: Preious wizard responses are retrieed. Current security settings are retrieed. 16 Tips and tools for securing your iseries serer V5R2

Security Adisor The Security Wizard will present you with one of three welcome screens. Which screen you see depends on which of the following conditions exists: The wizard has neer been run for the target iseries serer. The wizard has been run before and the security changes were deferred. The wizard has been run before and the security changes were put into effect. If you are not using iseries Naigator, you can still get help planning for your security needs. The Security Adisor is an on-line ersion of the Security Wizard, with one difference. The adisor will not automatically configure your system. It will howeer, generate a report of recommended security options based on your answers. To access the Security Adisor point your Internet browser to the following URL: http://www.iseries.ibm.com/tstudio/secure1/adisor/secwiz.htm The Security Adisor is part of the iseries Technical Studio. The Security Adisor is an on-line ersion of the Security Wizard. It asks the same questions as the Security Wizard and, based on your answers, generates the same recommendations. The main differences between the two tools are that: The Security Adisor does not Produce reports. Compare current settings with the recommend settings. Set any system alue automatically. You cannot apply recommendations from the Security Adisor. The Security Adisor generates a CL program that you can cut-and-paste and edit for your own use to automate security configuration. You can also link directly to the iseries serer documentation from the Security Adisor. This proides information about the system alue or report that can help you determine if this setting is appropriate for your enironment. To access the Security Adisor, point your Internet browser to the following URL: http://www.iseries.ibm.com/tstudio/secure1/adisor/secwiz.htm The Security Adisor is part of the iseries Technical Studio. This Web site answers many of your security questions and offers timely information on workshops, classes, and other resources. The URL for the Technical Studio address is: http://www.iseries.ibm.com/tstudio The URL for the iseries serer security section of the Technical Studio is: http://www.iseries.ibm.com/tstudio/secure1/secdex.htm Chapter 3. iseries Security Wizard and Security Adisor 17

18 Tips and tools for securing your iseries serer V5R2

Chapter 4. Control interactie sign-on Set password rules When you think about restricting entry to your system, start with the obious, the Sign On display. The following are options that you can use to make it difficult for someone to sign on to your system by using the Sign On display. To secure your system sign-on, do the following: Set a policy that states that passwords must not be triial and must not be shared. Set system alues to help you with enforcement. Table 1 shows recommended system alue settings. The combination of alues in Table 1 is fairly restrictie and is intended to significantly reduce the likelihood of triial passwords. Howeer, your users may find it difficult and frustrating to select a password that meets these restrictions. Consider proiding users with the following: 1. A list of the criteria for passwords. 2. Examples of passwords that are and are not alid. 3. Suggestions for how to think of a good password. Run the Configure System Security (CFGSYSSEC) command to set these alues. Use the Print System Security Attributes (PRTSYSSECA) command to print your current settings for these system alues. Chapter 3 of the iseries Security Reference book. Values set by the Configure System Security command on page 42 proides more information about the CFGSYSSEC command. Table 1. System Values for Passwords System alue name Description Recommended alue QPWDEXPITV How often the system users must change their passwords. 60 (days) You can specify a different alue for indiidual users in the user profile. QPWDLMTAJC Whether the system preents adjacent characters that are 1 (yes) the same. QPWDLMTCHR What characters may not be used in passwords. 2 AEIOU#$@ QPWDLMTREP Whether the system preents the same character from appearing more than once in the password. 2 (not allowed consecutiely) QPWDLVL Whether user profile passwords are limited to 10 0 3 characters or a maximum of 128. QPWDMAXLEN The maximum number of characters in a password. 8 QPWDMINLEN The minimum number of characters in a password. 6 QPWDPOSDIF Whether each character in a password must be different 1 (yes) from the character in the same position on the preious password. QPWDRQDDGT Whether the password must hae at least one numeric character. 1 (yes) QPWDRQDDIF How long a user must wait before using the same password again. 2 5 or less (expiration interals) 1 Copyright IBM Corp. 1996, 2002 19

Table 1. System Values for Passwords (continued) System alue name Description Recommended alue QPWDVLDPGM What exit program is called to alidate a newly assigned password. *NONE Notes: 1. The QPWDEXPITV system alue specifies how often you must change your password, such as eery 60 days. This is the expiration interal. The QPWDRQDDIF system alue specifies how many expiration interals must pass before you can use the same password again. Chapter 3 of the iseries Security Reference book proides more information about how these system alues work together. 2. QPWDLMTCHR is not enforced at password leels 2 or 3. See Password leels for details. 3. Refer to Plan password leel changes to determine the password leel that is right for your needs. Password leels Starting with V5R1 of the operating system, the QPWDLVL system alue offers increased password security. In preious releases, users were limited to passwords that were no more than 10 characters long, from a limited range of characters. Now, users can select a password (or passphrase) with as many as 128 characters, depending on the password leel at which their system is set. Password leels are: Leel 0: Systems are shipped at this leel. At leel 0, passwords are no more than 10 characters in length, containing only A-Z, 0 9, #, @, $, and _ characters. Passwords at leel 0 are less secure than those at higher password leels. Leel 1: Same rules as password leel 0, but passwords for iseries Support for Windows Network Neighborhood (hereafter referred to as iseries NetSerer) are not saed. Leel 2: Passwords are secure at this leel. This leel can be used for testing purposes. Passwords are saed for users on leel 0 or 1 if they are 10 characters or less, and use the character set for leel 0 or 1 passwords. Passwords (or passphrases) at this leel hae the following characteristics: as many as 128 characters in length. comprised of any aailable keyboard characters. may not be comprised entirely of blanks; blanks are remoed from the end of the password. case sensitie. Leel 3: Passwords at this leel are the most secure, and utilize the most adanced encryption algorithms aailable. Passwords at this leel hae the same characteristics as at leel 2. Passwords for iseries NetSerer are not saed at this leel. You should only use password leels 2 and 3 if eery system in your network meets this criteria: Operating system is V5R1 or later Password leel is set to 2 or 3 Similarly, users must all log in using the same password leel. Password leels are global; users cannot choose the leel at which they want their password secured. Plan password leel changes Changing password leels should be planned carefully. Operations with other systems may fail or users may not be able to sign on to the system if you haen t 20 Tips and tools for securing your iseries serer V5R2

planned for the password leel change adequately. Prior to changing the QPWDLVL system alue, make sure you hae saed your security data using the SAVSECDTA or SAVSYS command. If you hae a current backup, you will be able to reset the passwords for all users profiles if you need to return to a lower password leel. Products that you use on the system, and on clients with which the system interfaces, may hae problems when the password leel (QPWDLVL) system alue is set to 2 or 3. Any product or client that sends passwords to the system in an encrypted form, rather than in the clear text a user enters on a sign-on screen, must be upgraded to work with the new password encryption rules for QPWDLVL 2 or 3. Sending the encrypted password is known as password substitution. Password substitution is used to preent a password from being captured during transmission oer a network. Password substitutes generated by older clients that do not support the new algorithm for QPWDLVL 2 or 3, een if the specific characters are correct, will not be accepted. This also applies to any iseries to iseries peer access which utilizes the encrypted alues to authenticate from one system to another. The problem is compounded by the fact that some affected products (such as Jaa Toolbox) are proided as middleware. A third party product that incorporates a prior ersion of one of these products will not work correctly until rebuilt using an updated ersion of the middleware. Gien this and other scenarios, it is easy to see why careful planning is necessary before changing the QPWDLVL system alue. Considerations for changing QPWDLVL from 0 to 1 Password leel 1 allows a system, which does not hae a need to communicate with the Windows 95/98/ME AS/400 Client Support for Windows Network Neighborhood (iseries NetSerer) product, to hae the iseries NetSerer passwords eliminated from the system. Eliminating unnecessary encrypted passwords from the system increases the oerall security of the system. At QPWDLVL 1, all current, pre-v5r1 password substitution and password authentication mechanisms will continue to work. There is ery little potential for breakage except for functions and serices that require the iseries NetSerer password. Considerations for changing QPWDLVL from 0 or 1 to 2 Password leel 2 introduces the use of case sensitie passwords up to 128 characters in length (also called passphrases) and proides the maximum ability to reert back to QPWDLVL 0 or 1. Regardless of the password leel of the system, password leel 2 and 3 passwords are created wheneer a password is changed or a user signs on to the system. Haing a leel 2 and 3 password created while the system is still at password leel 0 or 1 helps prepare for the change to password leel 2 or 3. Prior to changing QPWDLVL to 2, you should use the DSPAUTUSR or PRTUSRPRF TYPE(*PWDINFO) commands to locate all user profiles which do not hae a password that is usable at password leel 2. Depending on which profiles these commands locate, you may want to use one of the following mechanisms to hae a password leel 2 and 3 password added to the profiles. Chapter 4. Control interactie sign-on 21

Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This will cause the system to change the password that is usable at password leels 0 and 1; and the system also creates two equialent case sensitie passwords that are usable at password leels 2 and 3. An all uppercase and all lowercase ersion of the password is created for use at password leel 2 or 3. For example, changing the password to C4D2RB4Y results in the system generating C4D2RB4Y and c4d2rb4y password leel 2 passwords. Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is alid and the user profile does not hae a password that is usable at password leels 2 and 3, the system creates two equialent case sensitie passwords that are usable at password leels 2 and 3. An all uppercase and all lowercase ersion of the password is created for use at password leel 2 or 3. The absence of a password that is usable at password leel 2 or 3 can be a problem wheneer the user profile also does not hae a password that is usable at password leels 0 and 1 or when the user tries to sign on through a product that uses password substitution. In these cases, the user will not be able to sign on when the password leel is changed to 2. If a user profile does not hae a password that is usable at password leels 2 and 3, the user profile does hae a password that is usable at password leels 0 and 1, and the user signs on through a product that sends clear text passwords, then the system alidates the user against the password leel 0 password and creates two password leel 2 passwords (as described aboe) for the user profile. Subsequent sign ons will be alidated against the password leel 2 passwords. Any client/serice which uses password substitution will not work correctly at QPWDLVL 2 if the client/serice hasn t been updated to use the new password (passphrase) substitution scheme. The administrator should check whether a client/serice which hasn t been updated to the new password substitution scheme is required. The clients/serices that use password substitution include: TELNET iseries Access iseries Host Serers QFileSr.400 iseries NetSerer print support DDM DRDA SNA LU6.2 It is highly recommended that the security data be saed prior to changing to QPWDLVL 2. This can help make the transition back to QPWDLVL 0 or 1 easier if that becomes necessary. It is recommended that the other password system alues, such as QPWDMINLEN and QPWDMAXLEN not be changed until after some testing at QPWDLVL 2 has occurred. This will make it easier to transition back to QPWDLVL 1 or 0 if necessary. Howeer, the QPWDVLDPGM system alue must specify either *REGFAC or *NONE before the system will allow QPWDLVL to be changed to 2. 22 Tips and tools for securing your iseries serer V5R2

Therefore, if you use a password alidation program, you may wish to write a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by using the ADDEXITPGM command. iseries NetSerer passwords are still supported at QPWDLVL 2, so any function/serice that requires an iseries NetSerer password should still function correctly. Once the administrator is comfortable with running the system at QPWDLVL 2, they can begin to change the password system alues to exploit longer passwords. Howeer, the administrator needs to be aware that longer passwords will hae these effects: If passwords greater than 10 characters are specified, the password leel 0 and 1 password is cleared. This user profile would not be able to signon if the system is returned to password leel 0 or 1. If passwords contain special characters or do not follow the composition rules for simple object names (excluding case sensitiity), the password leel 0 and 1 password is cleared. If passwords greater than 14 characters are specified, the iseries NetSerer password for the user profile is cleared. The password system alues only apply to the new password leel 2 alue and do not apply to the system generated password leel 0 and 1 password or iseries NetSerer password alues (if generated). Considerations for changing QPWDLVL from 2 to 3 After running the system at QPWDLVL 2 for some period of time, the administrator can consider moing to QPWDLVL 3 to maximize his password security protection. At QPWDLVL 3, all iseries NetSerer passwords are cleared so a system should not be moed to QPWDLVL 3 until there is no need to use iseries NetSerer passwords. At QPWDLVL 3, all password leel 0 and 1 passwords are cleared. The administrator can use the DSPAUTUSR or PRTUSRPRF commands to locate user profiles which don t hae password leel 2 or 3 passwords associated with them. Change to a lower password leel Returning to a lower QPWDLVL alue, while possible, is not expected to be a completely painless operation. In general, the mind set should be that this is a one-way trip from lower QPWDLVL alues to higher QPWDLVL alues. Howeer, there may be cases where a lower QPWDLVL alue must be reinstated. The following sections each discuss the work required to moe back to a lower password leel. Considerations for changing from QPWDLVL 3 to 2: This change is relatiely easy. Once the QPWDLVL is set to 2, the administrator needs to determine if any user profile is required to contain iseries NetSerer passwords or password leel 0 or 1 passwords and, if so, change the password of the user profile to an allowable alue. Additionally, the password system alues may hae to be changed back to alues compatible with iseries NetSerer and password leel 0 or 1 passwords, if those passwords are needed. Chapter 4. Control interactie sign-on 23

Considerations for changing from QPWDLVL 3 to 1 or 0: Because of the ery high potential for causing problems for the system (like no one can sign on because all of the password leel 0 and 1 passwords hae been cleared), this change is not supported directly. To change from QPWDLVL 3 to QPWDLVL 1 or 0, the system must first make the intermediary change to QPWDLVL 2. Considerations for changing from QPWDLVL 2 to 1: Prior to changing QPWDLVL to 1, the administrator should use the DSPAUTUSR or PRTUSRPRF TYPE(*PWDINFO) commands to locate any user profiles that do not hae a password leel 0 or 1 password. If the user profile will require a password after the QPWDLVL is changed, the administrator should ensure that a password leel 0 and 1 password is created for the profile using one of the following mechanisms: Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This will cause the system to change the password that is usable at password leels 2 and 3; and the system also creates an equialent uppercase password that is usable at password leels 0 and 1. The system is only able to create the password leel 0 and 1 password if the following conditions are met: The password is 10 characters or less in length. The password can be conerted to uppercase EBCDIC characters A-Z, 0-9, @, #, $, and underscore. The password does not begin with a numeric or underscore character. For example, changing the password to a alue of RainyDay would result in the system generating a password leel 0 and 1 password of RAINYDAY. But changing the the password alue to Rainy Days In April would cause the system to clear the password leel 0 and 1 password (because the password is too long and it contains blanks). No message or indication is produced if the password leel 0 or 1 password could not be created. Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is alid and the user profile does not hae a password that is usable at password leels 0 and 1, the system creates an equialent uppercase password that is usable at password leels 0 and 1. The system is only able to create the password leel 0 and 1 password if the conditions listed aboe are met. The administrator can then change QPWDLVL to 1. All iseries NetSerer passwords are cleared when the change to QPWDLVL 1 takes effect (next IPL). Considerations for changing from QPWDLVL 2 to 0: The considerations are the same as for changing from QPWDLVL 2 to 1 except that all iseries NetSerer passwords are retained when the change takes effect. Considerations for changing from QPWDLVL 1 to 0: After changing QPWDLVL to 0, the administrator should use the DSPAUTUSR or PRTUSRPRF commands to locate any user profiles that do not hae an iseries NetSerer password. If the user profile requires an iseries NetSerer password, it can be created by changing the user s password or signing on through a mechanism that presents the password in clear text. The administrator can then change QPWDLVL to 0. 24 Tips and tools for securing your iseries serer V5R2

Change known passwords Do the following to close some well-known entrances into the iseries serer that may exist on your system. Step 1. Step 2. Step 3. Step 4. Step 5. Make sure that no user profiles still hae default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command. (See Aoid default passwords on page 30.) Try to sign on to your system with the combinations of user profiles and passwords that are shown in Table 2. These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended alue. Start the Dedicated Serice Tools (DST) and try to sign on with the passwords that are shown in Table 2. Refer to the iseries Information Center >Security >Serice Tools. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. If you can sign on to DST with any of these passwords, you should change the passwords. The iseries Information Center >Security >Serice Tools proide detailed instructions on how to change the serice tools user IDs and passwords. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Finally, make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password. Try seeral different displays. If you can sign on without entering information on the Sign On display, do one of the following: Change to security leel 40 or 50 (QSECURITY system alue). Note: Your applications might run differently when you increase your security leel to 40 or 50. Change all of the workstation entries for interactie subsystems to point to job descriptions that specify USER(*RQD). Table 2. Passwords for IBM-supplied profiles User ID Password Recommended alue QSECOFR QSECOFR 1 A nontriial alue known only to the security administrator. Write down the password that you hae selected and store it in a safe place. QSYSOPR QSYSOPR *NONE 2 QPGMR QPGMR *NONE 2 QUSER QUSER *NONE 2, 3 QSRV QSRV *NONE 2 QSRVBAS QSRVBAS *NONE 2 Chapter 4. Control interactie sign-on 25

Table 2. Passwords for IBM-supplied profiles (continued) User ID Password Recommended alue Notes: 1. The system arries with the Set password to expired alue for the QSECOFR set to *YES. The first time that you sign on to a new system, you must change the QSECOFR password. 2. The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles. For new systems installed with V3R1 or later releases, this password is shipped as *NONE. When you run the CFGSYSSEC command, the system sets these passwords to *NONE. 3. To run iseries Access for Windows using TCP/IP, the QUSER user profile must be enabled. Table 3. Passwords for dedicated serice tools DST Leel User ID 1 Password Recommended alue Basic capability 11111111 11111111 A nontriial alue known only to the security administrator. 2 Full capability 22222222 22222222 3 A nontriial alue known only to the security administrator. 2 Security capability QSECOFR QSECOFR 3 A nontriial alue known only to the security administrator. 2 Serice capability QSRV QSRV 3 A nontriial alue known only to the security administrator. 2 Notes: 1. A user ID is only required for PowerPC AS (RISC) releases of the operating system. 2. If your hardware serice representatie needs to sign on with this user ID and password, change the password to a new alue after the hardware serice representatie leaes. 3. The serice tools user profile will expire as soon as it is used for the first time. Set sign-on alues Note: DST passwords can only be changed by an authenticated deice. This is also true for all passwords and corresponding user IDs that are identical. For more information on authenticated deices, see the Operations Console setup information in the iseries Information Center. Table 4 shows seeral alues that you can set to make it more difficult for an unauthorized person to sign on to your system. If you run the CFGSYSSEC command, it sets these system alues to the recommended settings. You can read more about these system alues in Chapter 3 of the iseries Security Reference book. Table 4. Sign-on system alues System alue name Description Recommended setting QAUTOCFG QAUTOVRT Whether the system automatically configures new deices. The number of irtual deice descriptions that the system will automatically create if no deice is aailable for use. 0(No) 0 26 Tips and tools for securing your iseries serer V5R2

Table 4. Sign-on system alues (continued) System alue name Description Recommended setting QDEVRCYACN QDSCJOBITV QDSPSGNINF QINACTITV QINACTMSGQ QLMTDEVSSN QLMTSECOFR QMAXSIGN QMAXSGNACN What the system does when a deice *DSCMSG reconnects after an error. 1 How long the system waits before ending a 120 disconnected job. Whether the system displays information about 1 (Yes) preious sign-on actiity when a user signs on. How long the system waits before taking action 60 when an interactie job is inactie. What the system does when the QINACTITV *ENDJOB time period is reached. Whether the system preents a user from 1 (Yes) signing on at more than one work station at the same time. Whether users with *ALLOBJ or *SERVICE 1 (Yes) 2 special authority can sign on only at specific work stations. Maximum consecutie, incorrect sign-on 3 attempts (user profile or password is incorrect). What the system does when the QMAXSIGN 3 (Disable both limit is reached. user profile and deice) Notes: 1. The system can disconnect and reconnect TELNET sessions when the deice description for the session is explicitly assigned. 2. If you set the system alue to 1 (Yes), you will need to explicitly authorize users with *ALLOBJ or *SERVICE special authority to deices. The simplest way to do this is to gie the QSECOFR user profile *CHANGE authority to specific deices. Change sign-on error messages Hackers like to know when they are making progress toward breaking into a system. When an error message on the Sign On display says Password not correct, the hacker can assume that the user ID is correct. You can frustrate the hacker by using the Change Message Description (CHGMSGD) command to change the text for two sign-on error messages. Table 5 shows the recommended text. Table 5. Sign-on error messages Message ID Shipped text Recommended text CPF1107 CPF1107 Password not correct for user profile. Sign-on information is not correct Note: Do not include the message ID in the message text. CPF1120 CPF1120 User XXXXX does not exist. Sign-on information is not correct. Note: Do not include the message ID in the message text. Chapter 4. Control interactie sign-on 27

Schedule aailability of user profiles You may want some user profiles to be aailable for sign-on only at certain times of the day or certain days of the week. For example, if you hae a profile set up for a security auditor, you may want to enable that user profile only during the hours that the auditor is scheduled to work. You might also want to disable user profiles with *ALLOBJ special authority (including the QSECOFR user profile) during off-hours. You can use the Change Actiation Schedule Entry (CHGACTSCDE) command to set up user profiles to be enabled and disabled automatically. For each user profile that you want to schedule, you create an entry that defines the user profile s schedule. For example, if you want the QSECOFR profile to be aailable only between 7 in the morning and 10 in the eening, you would type the following on the CHGACTSCDE display: Type choices, press Enter. Change Actiation Scd Entry (CHGACTSCDE) User profile.......... > QSECOFR Name Enable time.......... > 7:00 Time, *NONE Disable time.......... > 22:00 Time, *NONE Days.............. > *MON *ALL, *MON, *TUE, *WED... > *TUE > *WED > *THU + for more alues > *FRI Figure 2. Schedule Profile Actiation Display Sample In fact, you might want to hae the QSECOFR profile aailable only for a ery limited number of hours each day. You can use another user profile with the *SECOFR class to perform most system functions. Thus, you aoid exposing a well-known user profile to hacking attempts. You can use the Display Audit Journal Entries (DSPAUDJRNE) command periodically to print the CP (Change Profile) audit journal entries. Use these entries to erify that the system is enabling and disabling user profiles according to your planned schedule. Another method for checking to ensure that user profiles are being disabled on your planned schedule is to use the Print User Profile (PRTUSRPRF) command. When you specify *PWDINFO for the report type, the report includes the status of each selected user profile. If, for example, you regularly disable all user profiles with *ALLOBJ special authority, you can schedule the following command to run immediately after the profiles are disabled: PRTUSRPRF TYPE(*PWDINFO) SELECT(*SPCAUT) SPCAUT(*ALLOBJ) 28 Tips and tools for securing your iseries serer V5R2

Remoe inactie user profiles Your system should contain only user profiles that are necessary. If you no longer need a user profile because the user either has left or has taken a different job within the organization, remoe the user profile. If someone is gone from the organization for an extended period, disable (deactiate) that user s profile. An unnecessary user profile may proide unauthorized entry to your system. Disable user profiles automatically You can use the Analyze Profile Actiity (ANZPRFACT) command to regularly disable user profiles that hae been inactie for a specified number of days. When you use the ANZPRFACT command, you specify the number of inactie days that the system looks for. The system looks at the last used date, the restore date, and the creation date for the user profile. Once you hae specified a alue for the ANZPRFACT command, the system schedules a job to run weekly at 1 a.m. (starting with the day after you first specified a alue). The job examines all profiles and disables inactie profiles. You do not need to use the ANZPRFACT command again unless you want to change the number of inactie days. You can use the Change Actie Profile List (CHGACTPRFL) command to make some profiles exempt from ANZPRFACT processing. The CHGACTPRFL command creates a list of user profiles that the ANZPRFACT command will not disable, no matter how long those profiles hae been inactie. When the system runs the ANZPRFACT command, it writes a CP entry in the audit journal for each user profile that is disabled. You can use the DSPAUDJRNE command to list the user profiles that are newly disabled. Note: The system writes audit entries only if the QAUDCTL alue specifies *AUDLVL and the QAUDLVL system alue specifies *SECURITY. Another method for checking to ensure that user profiles are being disabled on your planned schedule is to use the Print User Profile (PRTUSRPRF) command. When you specify *PWDINFO for the report type, the report includes the status of each selected user profile. Remoe user profiles automatically You can use the Change Expiration Schedule Entry (CHGEXPSCDE) command to manage the remoing or disabling of user profiles. If you know that a user is leaing for an extended period, you can schedule the user profile to be remoed or disabled. The first time that you use the CHGEXPSCDE command, it creates a job schedule entry that runs at 1 minute after midnight eery day. The job looks at the QASECEXP file to determine whether any user profiles are scheduled for remoal on that day. With the CHGEXPSCDE command, you either disable or delete a user profile. If you choose to delete a user profile, you must specify what the system will do with the objects that the user owns. Before you schedule a user profile for deletion, you need to research the objects that the user owns. For example, if the user owns programs that adopt authority, do you want those programs to adopt the ownership of the new owner? Or does the new owner hae more authority than Chapter 4. Control interactie sign-on 29

Aoid default passwords necessary (such as special authority)? Perhaps, you need to create a new user profile with specific authorities to own the programs that need to adopt authority. You also need to research whether any application problems will occur if you delete the user profile. For example, do any job descriptions specify the user profile as the default user? You can use the Display Expiration Schedule (DSPEXPSCD) command to display the list of profiles that are scheduled to be disabled or remoed. You can use the Display Authorized Users (DSPAUTUSR) command to list all of the user profiles on your system. Use the Delete User Profile (DLTUSRPRF) command to delete outdated profiles. Security note:: You disable a user profile by setting its status to *DISABLED. When you disable a user profile, you make it unaailable for interactie use. You cannot sign on with or change your job to a disabled user profile. Batch jobs can run under a user profile that is disabled. When you create a new user profile, the default is to make the password the same as the user profile name. This proides an opportunity for someone to enter your system, if someone knows your policy for assigning profile names and knows that a new person is joining your organization. When you create new user profiles, consider assigning a unique, non-triial password instead of using the default password. Tell the new user the password confidentially, such as in a Welcome to the System letter that outlines your security policies. Require the user to change the password the first time that the user signs on by setting the user profile to PWDEXP(*YES). You can use the Analyze Default Passwords (ANZDFTPWD) command to check all the user profiles on your system for default passwords. When you print the report, you hae the option of specifying that the system should take action (such as disabling the user profile) if the password is the same as the user profile name. The ANZDFTPWD command prints a list of the profiles that it found and any action that it took. Note: Passwords are stored on your system in one-way encrypted form. They cannot be decrypted. The system encrypts the specified password and compares it to the stored password just as it would check a password when you sign on the system. If you are auditing authority failures (*AUTFAIL), the system will write a PW audit journal entry for each user profile that does not hae a default password (for systems running V4R1 or earlier releases). Beginning with V4R2, the system does not write PW audit journal entries when you run the ANZDFTPWD command. Monitor sign-on and password actiity If you are concerned about unauthorized attempts to enter your system, you can use the PRTUSRPRF command to help you monitor sign-on and password actiity. Following are seeral suggestions for using this report: 30 Tips and tools for securing your iseries serer V5R2

Store password information Determine whether the password expiration interal for some user profiles is longer than the system alue and whether the longer expiration interal is justified. For example, in the report, USERY has a password expiration interal of 120 days. Run this report regularly to monitor unsuccessful sign-on attempts. Someone who is trying to break into your system may be aware that your system takes action after a certain number of unsuccessful attempts. Each night, the would-be intruder might try fewer times than your QMAXSIGN alue to aoid alerting you to the attempts. Howeer, if you run this report early each morning and notice that certain profiles often hae unsuccessful sign-on attempts, you might suspect that you hae a problem. Identify user profiles that hae not been used for a long time or whose passwords hae not been changed for a long time. To support some network functions and communications requirements, iseries serers proide a secure method for storing passwords that can be decrypted. Your system uses these passwords, for example, to establish a SLIP connection with another system. ( Security and dial-out sessions on page 128 describes this use of stored passwords.) iseries serers stores these special passwords in a secure area that is not accessible to any user programs or interfaces. Only explicitly authorized system functions can set these passwords and retriee them. For example, when you use a stored password for dial-out SLIP connections, you set the password with the system command that creates the configuration profile (WRKTCPPTP). You must hae *IOSYSCFG to use the command. A specially coded connection script retriees the password and decrypts it during the dial-out procedure. The decrypted password is not isible to the user or in any job log. As a security administrator, you need to decide whether you will allow passwords that can be decrypted to be stored on your system. You use the Retain Serer Security Data (QRETSVRSEC) system alue to specify this. The default is 0 (No). Therefore, your system will not store passwords that can be decrypted unless you explicitly set this system alue. If you hae network or communications requirements for stored passwords, you should set appropriate policies and understand the policies and practices of your communications partners. For example, when you use SLIP to communicate with another iseries serer, both systems should consider setting up special user profiles for establishing the sessions. The special profiles should hae limited authority on the system. This limits the impact to your system if a stored password is compromised on a partner system. Chapter 4. Control interactie sign-on 31

32 Tips and tools for securing your iseries serer V5R2

Chapter 5. Configure the iseries to use Security Tools This information describes how to set up your system to use the security tools that are part of OS/400. When you install OS/400, the security tools tools are ready to use. The topics that follow proide suggestions for operating procedures with the security tools. Operate Security Tools securely Aoid file conflicts When you install OS/400, the objects that are associated with the security tools are secure. To operate the security tools securely, aoid making authority changes to any security tool objects. Following are the security settings and requirements for security tool objects: The security tool programs and commands are in the QSYS product library. The commands and the programs ship with the public authority of *EXCLUDE. Many of the security tool commands create files in the QUSRSYS library. When the system creates these files, the public authority for the files is *EXCLUDE. Files that contain information for producing changed reports hae names that begin with QSEC. Files that contain information for managing user profiles hae names that begin with QASEC. These files contain confidential information about your system. Therefore, you should not change the public authority to the files. The security tools use your normal system setup for directing printed output. These reports contain confidential information about your system. To direct the output to a protect output queue, make appropriate changes to the user profile or job description for users who will be running the security tools. Because of their security functions and because they access many objects on the system, the security tool commands require *ALLOBJ special authority. Some of the commands also require *SECADM, *AUDIT, or *IOSYSCFG special authority. To ensure that the commands run successfully, you should sign on as a security officer when you use the security tools. Therefore, you should not need to grant priate authority to any security tool commands. Many of the security tool report commands create a database file that you can use to print a changed ersion of the report. Commands and menus for security commands tells the file name for each command. You can only run a command from one job at a time. Most of the commands now hae checks that enforce this. If you run a command when another job has not yet finished running it, you will receie an error message. Many print jobs are long-running jobs. You need to be careful to aoid file conflicts when you submit reports to batch or add them to the job scheduler. For example, you might want to print two ersions of the PRTUSRPRF report with different selection criteria. If you are submitting reports to batch, you should use a job queue that runs only one job at a time to ensure that the report jobs run sequentially. If you are using the job scheduler, you need to schedule the two jobs far enough apart that the first ersion completes before the second job starts. Copyright IBM Corp. 1996, 2002 33

Sae Security Tools You sae the security tool programs wheneer you run either the Sae System (SAVSYS) command or an option from the Sae menu that runs the SAVSYS command. The security tool files are in the QUSRSYS library. You should already be saing this library as part of your normal operating procedures. The QUSRSYS library contains data for many licensed programs on your system. See the Information Center for more information about what commands and options sae the QUSRSYS library. Commands and menus for security commands This section describes the commands and menus for security tools. Examples of how to use the commands are included throughout this information. Two menus are aailable for security tools: The SECTOOLS (Security Tools) menu to run commands interactiely. The SECBATCH (Submit or Schedule Security Reports to Batch) menu to run the report commands in batch. The SECBATCH menu has two parts. The first part of the menu uses the Submit Job (SBMJOB) command to submit reports for immediate processing in batch. The second part of the menu uses the Add Job Schedule Entry (ADDJOBSCDE) command. You use it to schedule security reports to be run regularly at a specified day and time. Security Tools menu options Table 6 describes these menu options and the associated commands: Table 6. Tool commands for user profiles Menu 1 option Command name Description Database file used 1 ANZDFTPWD Use the Analyze Default Passwords command to report on and take action on user profiles that hae a password equal to the user profile name. 2 DSPACTPRFL Use the Display Actie Profile List command to display or print the list of user profiles that are exempt from ANZPRFACT processing. 3 CHGACTPRFL Use the Change Actie Profile List command to add and remoe user profiles from the exemption list for the ANZPRFACT command. A user profile that is on the actie profile list is permanently actie (until you remoe the profile from the list). The ANZPRFACT command does not disable a profile that is on the actie profile list, no matter how long the profile has been inactie. QASECPWD 2 QASECIDL 2 QASECIDL 2 34 Tips and tools for securing your iseries serer V5R2

Table 6. Tool commands for user profiles (continued) Menu 1 option Command name Description Database file used 4 ANZPRFACT Use the Analyze Profile Actiity command to disable user profiles that hae not been used for a specified number of days. After you use the ANZPRFACT command to specify the number of days, the system runs the ANZPRFACT job nightly. QASECIDL 2 You can use the CHGACTPRFL command to exempt user profiles from being disabled. 5 DSPACTSCD Use the Display Profile Actiation Schedule command to display or print information about the schedule for enabling and disabling specific user profiles. You create the schedule with the CHGACTSCDE command. 6 CHGACTSCDE Use the Change Actiation Schedule Entry command to make a user profile aailable for sign on only at certain times of the day or week. For each user profile that you schedule, the system creates job schedule entries for the enable and disable times. 7 DSPEXPSCD Use the Display Expiration Schedule command to display or print the list of user profiles that are scheduled to be disabled or remoed from the system in the future. You use the CHGEXPSCDE command to set up user profiles to expire. 8 CHGEXPSCDE Use the Change Expiration Schedule Entry command to schedule a user profile for remoal. You can remoe it temporarily (by disabling it) or you can delete it from the system. This command uses a job schedule entry that runs eery day at 00:01 (1 minute after midnight). The job looks at the QASECEXP file to determine whether any user profiles are set up to expire on that day. QASECACT 2 QASECACT 2 QASECEXP 2 QASECEXP 2 Use the DSPEXPSCD command to display the user profiles that are scheduled to expire. 9 PRTPRFINT Use the Print Profile Internals command to print a report containing information on the number of entries contained in a user profile. The number of entries determines the size of the user profile. Notes: 1. Options are from the SECTOOLS menu. 2. This file is in the QUSRSYS library. You can page down on the menu to see additional options. Table 7 on page 36 describes the menu options and associated commands for security auditing: Chapter 5. Configure the iseries to use Security Tools 35

Table 7. Tool commands for security auditing Menu 1 option Command name Description Database file used 10 CHGSECAUD Use the Change Security Auditing command to set up security auditing and to change the system alues that control security auditing. When you run the CHGSECAUD command, the system creates the security audit (QAUDJRN) journal if it does not exist. The CHGSECAUD command proides options that make it simpler to set the QAUDLVL (audit leel) system alue. You can specify *ALL to actiate all of the possible audit leel settings. Or, you can specify *DFTSET to actiate the most commonly used settings (*AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST). Note: If you use the security tools to set up auditing, be sure to plan for management of your audit journal receiers. Otherwise, you might quickly encounter problems with disk utilization. 11 DSPSECAUD Use the Display Security Auditing command to display information about the security audit journal and the system alues that control security auditing. Notes: 1. Options are from the SECTOOLS menu. Use the Security Batch menu Following is the first part of the SECBATCH menu: SECBATCH Select one of the following: Submit or Schedule Security Reports To Batch System: Submit Reports to Batch 1. Adopting objects 2. Audit journal entries 3. Authorization list authorities 4. Command authority 5. Command priate authorities 6. Communications security 7. Directory authority 8. Directory priate authority 9. Document authority 10. Document priate authority 11. File authority 12. File priate authority 13. Folder authority When you select an option from this menu, you see the Submit Job (SBMJOB) display. If you want to change the default options for the command, you can press F4 (Prompt) on the Command to run line. To see the Schedule Batch Reports, page down on the SECBATCH menu. By using the options on this part of the menu, you can, for example, set up your system to run changed ersions of reports regularly. You can page down for additional menu 36 Tips and tools for securing your iseries serer V5R2

options. When you select an option from this part of the menu, you see the Add Job Schedule Entry (ADDJOBSCDE) display. You can position your cursor on the Command to run line and press F4 (Prompt) to choose different settings for the report. You should assign a meaningful job name so that you can recognize the entry when you display the job schedule entries. Security Batch menu options Table 8 describes the menu options and associated commands for security reports. When you run security reports, the system prints only information that meets both the selection criteria that you specify and the selection criteria for the tool. For example, job descriptions that specify a user profile name are security-releant. Therefore, the job description (PRTJOBDAUT) report prints job descriptions in the specified library only if the public authority for the job description is not *EXCLUDE and if the job description specifies a user profile name in the USER parameter. Similarly, when you print subsystem information (PRTSBSDAUT command), the system prints information about a subsystem only when the subsystem description has a communications entry that specifies a user profile. If a particular report prints less information than you expect, consult the online help information to find out the selection criteria for the report. Table 8. Commands for security reports Menu 1 option Command name Description Database file used 1, 40 PRTADPOBJ Use the Print Adopting Objects command to print a list of objects that adopt the authority of the specified user profile. You can specify a single profile, a generic profile name (such as all profiles that begin with Q), or all user profiles on the system. QSECADPOLD 2 This report has two ersions. The full report lists all adopted objects that meet the selection criteria. The changed report lists differences between adopted objects that are currently on the system and adopted objects that were on the system the last time that you ran the report. 2, 41 DSPAUDJRNE Use the Display Audit Journal Entries command to display or print information about entries in the security audit journal. You can select specific entry types, specific users, and a time period. QASYxxJ4 3 Chapter 5. Configure the iseries to use Security Tools 37

Table 8. Commands for security reports (continued) Menu 1 option Command name Description Database file used 3, 42 PRTPVTAUT *AUTL When you use the Print Priate Authorities command for *AUTL objects, you receie a list of all the authorization lists on the system. The report includes the users who are authorized to each list and what authority the users hae to the list. Use this information to help you analyze sources of object authority on your system. QSECATLOLD 2 This report has three ersions. The full report lists all authorization lists on the system. The changed report lists additions and changes to authorization since you last ran the report. The deleted report lists users whose authority to the authorization list has been deleted since you last ran the report. When you print the full report, you hae the option to print a list of objects that each authorization list secures. The system will create a separate report for each authorization list. 6, 45 PRTCMNSEC Use the Print Communications Security command to print the security-releant settings for objects that affect communications on your system. These settings affect how users and jobs can enter your system. This command produces two reports: a report that displays the settings for configuration lists on the system and a report that lists security-releant parameters for line descriptions, controllers, and deice descriptions. Each of these reports has a full ersion and a changed ersion. 15, 54 PRTJOBDAUT Use the Print Job Description Authority command to print a list of job descriptions that specify a user profile and hae public authority that is not *EXCLUDE. The report shows the special authorities for the user profile that is specified in the job description. QSECCMNOLD 2 QSECJBDOLD 2 This report has two ersions. The full report lists all job description objects that meet the selection criteria. The changed report lists differences between job description objects that are currently on the system and job description objects that were on the system the last time that you ran the report. 38 Tips and tools for securing your iseries serer V5R2

Table 8. Commands for security reports (continued) Menu 1 option Command name Description Database file used See note 4 PRTPUBAUT Use the Print Publicly Authorized Objects command to print a list of objects whose public authority is not *EXCLUDE. When you run the command, you specify the type of object and the library or libraries for the report. Use the PRTPUBAUT command to print information about objects that eery user on the system can access. QPBxxxxxx 5 This report has two ersions. The full report lists all objects that meet the selection criteria. The changed report lists differences between the specified objects that are currently on the system and objects (of the same type in the same library) that were on the system the last time that you ran the report. See note 5. PRTPVTAUT Use the Print Priate Authorities command to print a list of the priate authorities to objects of the specified type in the specified library. Use this report to help you determine the sources of authority to objects. This report has three ersions. The full report lists all objects that meet the selection criteria. The changed report lists differences between the specified objects that are currently on the system and objects (of the same type in the same library) that were on the system the last time that you ran the report. The deleted report lists users whose authority to an object has been deleted since you last printed the report. 24, 63 PRTQAUT Use the Print Queue Report to print the security settings for output queues and job queues on your system. These settings control who can iew and change entries in the output queue or job queue. QPVxxxxxx 5 QSECQOLD 2 This report has two ersions. The full report lists all output queue and job queue objects that meet the selection criteria. The changed report lists differences between output queue and job queue objects that are currently on the system and output queue and job queue objects that were on the system the last time that you ran the report. Chapter 5. Configure the iseries to use Security Tools 39

Table 8. Commands for security reports (continued) Menu 1 option Command name Description Database file used 25, 64 PRTSBSDAUT Use the Print Subsystem Description command to print the security-releant communications entries for subsystem descriptions on your system. These settings control how work can enter your system and how jobs run. The report prints a subsystem description only if it has communications entries that specify a user profile name. QSECSBDOLD 2 This report has two ersions. The full report lists all subsystem description objects that meet the selection criteria. The changed report lists differences between subsystem description objects that are currently on the system and subsystem description objects that were on the system the last time that you ran the report. 26, 65 PRTSYSSECA Use the Print System Security Attributes command to print a list of security-releant system alues and network attributes. The report shows the current alue and the recommended alue. 27, 66 PRTTRGPGM Use the Print Trigger Programs command to print a list of trigger programs that are associated with database files on your system. This report has two ersions. The full report lists eery trigger program that is assigned and meets your selection criteria. The changed report lists trigger programs that hae been assigned since the last time that you ran the report. 28, 67 PRTUSROBJ Use the Print User Objects command to print a list of the user objects (objects not supplied by IBM) that are in a library. You might use this report to print a list of user objects that are in a library (such as QSYS) that is in the system portion of the library list. QSECTRGOLD 2 QSECPUOLD 2 This report has two ersions. The full report lists all user objects that meet the selection criteria. The changed report lists differences between user objects that are currently on the system and user objects that were on the system the last time that you ran the report. 29, 68 PRTUSRPRF Use the Print User Profile command to analyze user profiles that meet specified criteria. You can select user profiles based on special authorities, user class, or a mismatch between special authorities and user class. You can print authority information, enironment information, password information, or password leel information. 30, 69 PRTPRFINT Use the Print Profile Internals command to print a report of internal information on the number of entries. 40 Tips and tools for securing your iseries serer V5R2

Table 8. Commands for security reports (continued) Menu 1 option Command name Description Database file used 31, 70 CHKOBJITG Use the Check Object Integrity command to determine whether operable objects (such as programs) hae been changed without using a compiler. This command can help you to detect attempts to introduce a irus program on your system or to change a program to perform unauthorized instructions. The iseries Security Reference book proides more information about the CHKOBJITG command. Notes: 1. Options are from the SECBATCH menu. 2. This file is in the QUSRSYS library. 3. xx is the two-character journal entry type. For example, the model output file for AE journal entries is QSYS/QASYAEJ4. The model output files are described in Appendix F of the iseries Security Reference book. 4. The SECBATCH menu contains options for the object types that are typically of concern to security administrators. For example, use options 11 or 50 to run the PRTPUBAUT command against *FILE objects. Use the general options (18 and 57) to specify the object type. 5. The SECBATCH menu contains options for the object types that are typically of concern to security administrators. For example, options 12 or 51 run the PRTPVTAUT command against *FILE objects. Use the general options (19 and 58) to specify the object type. 6. The xxxxxx in the name of the file is the object type. For example, the file for program objects is called QPBPGM for public authorities and QPVPGM for priate authorities. The files are in the QUSRSYS library. The file contains a member for each library for which you hae printed the report. The member name is the same as the library name. Commands for customizing security Table 9 describes the commands that you can use to customize the security on your system. These commands are on the SECTOOLS menu. Table 9. Commands for customizing your system Menu 1 option Command name Description Database file used 60 CFGSYSSEC Use the Configure System Security command to set security-releant system alues to their recommended settings. The command also sets up security auditing on your system. Values set by the Configure System Security command on page 42 describes what the command does. Note: To obtain security recommendations customized for your situation, run the iseries Security Wizard or the iseries Security Adisor instead of running this command. See Chapter 3, iseries Security Wizard and Security Adisor on page 15 for information on these tools. 61 RVKPUBAUT Use the Reoke Public Authority command to set the public authority to *EXCLUDE for a set of security-sensitie commands on your system. Functions of the Reoke Public Authority command on page 44 lists the actions that the RVKPUBAUT command performs. Chapter 5. Configure the iseries to use Security Tools 41

Table 9. Commands for customizing your system (continued) Menu 1 option Command name Description Database file used Notes: 1. Options are from the SECTOOLS menu. Values set by the Configure System Security command Table 10 lists the system alues that are set when you run the CFGSYSSEC command. The CFGSYSSEC command runs a program that is called QSYS/QSECCFGS. Table 10. Values set by the CFGSYSSEC command System alue name Setting System alue description QALWOBJRST *NONE Whether system state programs and programs that adopt authority can be restored QAUTOCFG 0 (No) Automatic configuration of new deices QAUTOVRT 0 The number of irtual deice descriptions that the system will automatically create if no deice is aailable for use. QDEVRCYACN *DSCMSG (Disconnect System action when communications is re-established with message) QDSCJOBITV 120 Time period before the system takes action on a disconnected job QDSPSGNINF 1 (Yes) Whether users see the sign-on information display QINACTITV 60 Time period before the system takes action on an inactie interactie job QINACTMSGQ *ENDJOB Action that the system takes for an inactie job QLMTDEVSSN 1 (Yes) Whether users are limited to signing on at one deice at a time QLMTSECOFR 1 (Yes) Whether *ALLOBJ and *SERVICE users are limited to specific deices QMAXSIGN 3 How many consecutie, unsuccessful sign-on attempts are allowed QMAXSGNACN 3 (Both) Whether the system disables the workstation or the user profile when the QMAXSIGN limit is reached. QRMTSIGN *FRCSIGNON How the system handles a remote (pass-through or TELNET) sign-on attempt. QRMTSVRATR 0 (Off) Allows the system to be analyzed remotely. QSECURITY 1on 50 The leel of security that is enforced page 43 QVFYOBJRST 3 (Verify signatures on Verify object on restore restore) QPWDEXPITV 60 How often users must change their passwords QPWDMINLEN 6 Minimum length for passwords QPWDMAXLEN 8 Maximum length for passwords QPWDPOSDIF 1 (Yes) Whether eery position in a new password must differ from the same position in the last password QPWDLMTCHR See note 2 on page 43 Characters that are not allowed in passwords QPWDLMTAJC 1 (Yes) Whether adjacent numbers are prohibited in passwords QPWDLMTREP 2 (Cannot be repeated consecutiely) Whether repeating characters in are prohibited in passwords 42 Tips and tools for securing your iseries serer V5R2

Table 10. Values set by the CFGSYSSEC command (continued) System alue name Setting System alue description QPWDRQDDGT 1 (Yes) Whether passwords must hae at least one number QPWDRQDDIF 1 (32 unique passwords) How many unique passwords are required before a password can be repeated QPWDVLDPGM *NONE The user exit program that the system calls to alidate passwords Notes: 1. If you are currently running with a QSECURITY alue of 40 or lower, be sure to reiew the information in Chapter 2 of the iseries Security Reference book before you change to a higher security leel. 2. The restricted characters are stored in message ID CPXB302 in the message file QSYS/QCPFMSG. They are shipped as AEIOU@$#. You can use the Change Message Description (CHGMSGD) command to change the restricted characters. The QPWDLMTCHR system alue is not enforced at password leels 2 or 3. The CFGSYSSEC command also sets the password to *NONE for the following IBM-supplied user profiles: QSYSOPR QPGMR QUSER QSRV QSRVBAS Finally, the CFGSYSSEC command sets up security auditing using the Change Security Auditing (CHGSECAUD) command. The CFGSYSSEC command turns on action and object auditing and also, specifies the default set of actions to audit on the CHGSECAUD command. Customize the program If some of these settings are not appropriate for your installation, you can create your own ersion of the program that processes the command. Do the following: Step 1. Step 2. Step 3. Use the Retriee CL Source (RTVCLSRC) command to copy the source for the program that runs when you use the CFGSYSSEC command. The program to retriee is QSYS/QSECCFGS. When you retriee it, gie it a different name. Edit the program to make your changes. Then compile it. When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECCFGS program. Your program should hae a different name. Use the Change Command (CHGCMD) command to change the program to process command (PGM) parameter for the CFGSYSSEC command. Set the PGM alue to the name of your program. For example, if you create a program in the QGPL library that is called MYSECCFG, you would type the following: CHGCMD CMD(QSYS/CFGSYSSEC) PGM(QGPL/MYSECCFG) Note: If you change the QSYS/QSECCFGS program, IBM cannot guarantee or imply reliability, sericeability, performance or function of the program. The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed. Chapter 5. Configure the iseries to use Security Tools 43

Functions of the Reoke Public Authority command You can use the Reoke Public Authority (RVKPUBAUT) command to set the public authority to *EXCLUDE for a set of commands and programs. The RVKPUBAUT command runs a program that is called QSYS/QSECRVKP. As it is shipped, the QSECRVKP reokes public authority (by setting public authority to *EXCLUDE) for the commands that are listed in Table 11 and the application programming interfaces (APIs) that are listed in Table 12. When your system arries, these commands and APIs hae their public authority set to *USE. The commands that are listed in Table 11 and the APIs that are listed in Table 12 all perform functions on your system that may proide an opportunity for mischief. As security administrator, you should explicitly authorize users to run these commands and programs rather than make them aailable to all system users. When you run the RVKPUBAUT command, you specify the library that contains the commands. The default is the QSYS library. If you hae more than one national language on your system, you need to run the command for each QSYSxxx library. Table 11. Commands whose public authority is set by the RVKPUBAUT command ADDAJE ADDCFGLE ADDCMNE ADDJOBQE ADDPJE ADDRTGE ADDWSE CHGAJE CHGCFGL CHGCFGLE CHGCMNE CHGCTLAPPC CHGDEVAPPC CHGJOBQE CHGPJE CHGRTGE CHGSBSD CHGWSE CPYCFGL CRTCFGL CRTCTLAPPC CRTDEVAPPC CRTSBSD ENDRMTSPT RMVAJE RMVCFGLE RMVCMNE RMVJOBQE RMVPJE RMVRTGE RMVWSE RSTLIB RSTOBJ RSTS36F RSTS36FLR RSTS36LIBM STRRMTSPT STRSBS WRKCFGL The APIs in Table 12 are all in the QSYS library: Table 12. Programs whose public authority is set by the RVKPUBAUT command QTIENDSUP QTISTRSUP QWTCTLTR QWTSETTR QY2FTML When you run the RVKPUBAUT command, the system sets the public authority for the root directory to *USE (unless it is already *USE or less). Customize the program If some of these settings are not appropriate for your installation, you can create your own ersion of the program that processes the command. Do the following: Step 1. Step 2. Use the Retriee CL Source (RTVCLSRC) command to copy the source for the program that runs when you use the RVKPUBAUT command. The program to retriee is QSYS/QSECRVKP. When you retriee it, gie it a different name. Edit the program to make your changes. Then compile it. When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECRVKP program. Your program should hae a different name. 44 Tips and tools for securing your iseries serer V5R2

Step 3. Use the Change Command (CHGCMD) command to change the program to process command (PGM) parameter for the RVKPUBAUT command. Set the PGM alue to the name of your program. For example, if you create a program in the QGPL library that is called MYRVKPGM, you would type the following: CHGCMD CMD(QSYS/RVKPUBAUT) PGM(QGPL/MYRVKPGM) Note: If you change the QSYS/QSECRVKP program, IBM cannot guarantee or imply reliability, sericeability, performance or function of the program. The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed. Chapter 5. Configure the iseries to use Security Tools 45

46 Tips and tools for securing your iseries serer V5R2

Part 3. Adanced iseries security Copyright IBM Corp. 1996, 2002 47

48 Tips and tools for securing your iseries serer V5R2

Chapter 6. Protect information assets with object authority Your challenge as security administrator is to protect your organization s information assets without frustrating the users on your system. You need to make sure that users hae enough authority to do their jobs without giing them the authority to browse throughout the system and to make unauthorized changes. Security tip Authority that is too tight can backfire. Users sometimes react to authority restrictions that are too tight by sharing passwords with each other. Object authority enforcement The OS/400 operating system proides integrated object security. Users must use the interfaces that the system proides to access objects. For example, if you want to access a database file, you must use commands or programs that are intended for accessing database files. You cannot use a command that is intended for accessing a message queue or a job log. Wheneer you use a system interface to access an object, the system erifies that you hae the authority to the object that is required by that interface. Object authority is a powerful and flexible tool for protecting the assets on your system. Your challenge as a security administrator is to set up an effectie object security scheme that you can manage and maintain. Wheneer you try to access an object, the operating system checks your authority to that object. Howeer, if the security leel on your system (QSECURITY system alue) is set to 10 or 20, eery user automatically has authority to access eery object because eery user profile has *ALLOBJ special authority. Object authority tip: If you are not sure whether you are using object security, check the QSECURITY (security leel) system alue. If QSECURITY is 10 or 20, you are not using object security. You must plan and prepare before you change to security leel 30 or higher. Otherwise, your users may not be able to access the information that they need. The Basic system security and planning topic in the Information Center proides a method for analyzing your applications and deciding how you should set up object security. If you are not yet using object security or if your object security scheme is outdated and conoluted, read this topic to help you get started. Menu security The iseries serer was originally designed as a follow-on product for S/36 and S/38. Many iseries serer installations were, at one time, S/36 installations or S/38 installations. To control what users could do, security administrators on those earlier systems often used a technique that is referred to as menu security or menu access control. Copyright IBM Corp. 1996, 2002 49

Menu access control means that when a user signs on, the user sees a menu. The user can perform only the functions that are on the menu. The user cannot get to a command line on the system to perform any functions that are not on the menu. In theory, the security administrator does not hae to worry about authority to objects because menus and programs control what users can do. The iseries serer proides seeral user profile options to assist with menu access control, you can use the: Initial menu (INLMNU) parameter to control what menu the user first sees after the user signs on. Initial program (INLPGM) parameter to run a setup program before the user sees a menu. Or, you can use the INLPGM parameter to restrict a user to running a single program. Limit capabilities (LMTCPB) parameter to restrict a user to a limited set of commands. It also preents the user from specifying a different initial program or menu on the Sign On display. (The LMTCPB parameter only limits commands that are entered from the command line.) Limitations of menu access control Computers and computer users hae changed a great deal in the past few years. Many tools, such as query programs and spreadsheets, are aailable so that users can do some of their own programming to off-load IS departments. Some tools, such as SQL or ODBC, proide the capability to iew information and to change information. To enable these tools within a menu structure is ery difficult. Fixed-function ( green-screen ) workstations are rapidly being replaced by personal computers and computer-to-computer networks. If your system participates in a network, users may enter your system without eer seeing a sign-on display or a menu. As a security administrator who is trying to enforce menu access control, you hae two basic problems: If you are successful in limiting users to menus, your users will probably be unhappy because their ability to use modern tools is limited. If you are not successful, you could jeopardize critical, confidential information that menu access control is supposed to protect. When your system participates in a network, your ability to enforce menu access control decreases. For example, the LMTCPB parameter applies only to commands that are entered from a command line in an interactie session. The LMTCPB parameter has no affect on requests from communications sessions, such as PC file transfer, FTP, or remote commands. Enhance menu access control with object security With the many new options that are aailable to connect to systems, a iable iseries serer security scheme for the future cannot rely solely on menu access control. This topic proides suggestions for moing toward an object security enironment to complement your menu access control. The Basic system security and planning topic in the Information Center describes a technique for analyzing the authority that users must hae to objects to run your current applications. You then assign users to groups and gie the groups appropriate authority. This approach is reasonable and logical. Howeer, if your 50 Tips and tools for securing your iseries serer V5R2

system has been operational for many years and has many applications, the task of analyzing applications and setting up object authority probably seems oerwhelming. Object authority tip: Your current menus combined with programs that adopt the authority of the program owners may proide a transition beyond menu access control. Be sure to protect both the programs that adopt authority and the user profiles that own them. You may be able to use your current menus to help you set up a transition enironment while you gradually analyze your applications and objects. Following is an example that uses the Order Entry (OEMENU) menu and the associated files and programs. Example: Set up a transition enironment This example starts with the following assumptions and requirements: All of the files are in the library ORDERLIB. You do not know the names of all the files. You also do not know what authority the menu options require to different files. The menu and all the programs that it calls are in a library called ORDERPGM. You want eeryone who can sign on to your system to be able to iew information in all the order files, customer files, and item files (with queries or spreadsheets, for example). Only users whose current sign-on menu is the OEMENU should be able to change the files. And, they must use the programs on the menu to do this. System users other than the security administrators do not hae *ALLOBJ or *SECADM special authority. Perform the following steps to change this menu-access-control enironment to accommodate the need for queries: Step 1. Make a list of the users whose initial menu is the OEMENU. You can use the Print User Profile (PRTUSRPRF *ENVINFO) command to list the enironment for eery user profile on your system. The report includes the initial menu, initial program, and current library. Figure 7 on page 66 shows an example of the report. Step 2. Step 3. Step 4. Make sure that the OEMENU object (it may be a *PGM object or a *MENU object) is owned by a user profile that is not used for sign on. The user profile should be disabled or hae a password of *NONE. For this example, assume that OEOWNER owns the OEMENU program object. Make sure that the user profile that owns the OEMENU program object is not a group profile. You can use the following command: DSPUSRPRF USRPRF(OEOWNER) TYPE(*GRPMBR) Change the OEMENU program to adopt the authority of the OEOWNER user profile. (Use the CHGPGM command to change the USRPRF parameter to *OWNER.) Note: *MENU objects cannot adopt authority. IF OEMENU is a *MENU object, you can adapt this example by doing one of the following: Create a program to display the menu. Chapter 6. Protect information assets with object authority 51

Step 5. Step 6. Step 7. Step 8. Step 9. Use adopted authority for the programs that run when the user selects options from the OEMENU menu. Set the public authority to all of the files in ORDERLIB to *USE by typing the following two commands: RVKOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL) GRTOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*USE) Remember that if you select *USE authority, users can copy the file by using PC file transfer or FTP. Gie the profile that owns the menu program *ALL authority to the files by typing the following: GRTOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(OEOWNER) AUT(*ALL) For most applications, *CHANGE authority to files is sufficient. Howeer, your applications may perform functions, such as clearing physical file members, that require more authority than *CHANGE. Eentually, you should analyze your applications and proide only the minimum authority that is necessary for the application. Howeer, during the transition period, by adopting *ALL authority, you aoid applications failures that may be caused by insufficient authority. Restrict authority to the programs in the order library by typing the following: GRTOBJAUT OBJ(ORDERPGM/*ALL) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*EXCLUDE) Gie the OEOWNER profile authority to the programs in the library by typing the following: GRTOBJAUT OBJ(ORDERPGM/*ALL) OBJTYPE(*PGM) USER(OEOWNER) AUT(*USE) Gie the users that you identified in step 1 authority to the menu program by typing the following for each user: GRTOBJAUT OBJ(ORDERPGM/OEMENU) OBJTYPE(*PGM) USER(user-profile-name) AUT(*USE) When you hae completed these steps, all system users who are not explicitly excluded will be able to access (but not change) the files in the ORDERLIB library. Users who hae authority to the OEMENU program will be able to use the programs that are on the menu to update files in the ORDERLIB library. Only users who hae authority to the OEMENU program will now be able to change the files in this library. A combination of object security and menu access control protects the files. When you complete similar steps for all the libraries that contain user data, you hae created a simple scheme for controlling database updates. This method preents system users from updating database files except when they use the approed menus and programs. At the same time, you hae made database files aailable for iewing, analyzing, and copying by users with decision-support tools or with links from another system or from a PC. Object authority tip: When your system participates in a network, *USE authority may proide more authority than you expect. For example, with FTP, you can make a copy of a file to another system (including a PC) if you hae *USE authority to the file. 52 Tips and tools for securing your iseries serer V5R2

Use library security to complement menu security To access an object in a library, you must hae authority both to the object and to the library. Most operations require either *EXECUTE authority or *USE authority to the library. Configure object ownership Depending on your situation, you may be able to use library authority as a simple means for securing objects. For example, assume that for the Order-Entry menu example, eeryone who has authority to the Order Entry menu can use all of the programs in the ORDERPGM library. Rather than securing indiidual programs, you can set the public authority to the ORDERPGM library to *EXCLUDE. You can then grant *USE authority to the library to specific user profiles, which will allow them to use the programs in the library. (This assumes that public authority to the programs is *USE or greater.) Library authority can be a simple, efficient method for administering object authority. Howeer, you must ensure that you are familiar with the contents of the libraries that you are securing so that you do not proide unintended access to objects. The ownership of objects on your system is an important part of your object authority scheme. By default, the owner of an object has *ALL authority to the object. Chapter 5 in the iseries Security Reference book proides recommendations and examples for planning object ownership. Following are a few tips: In general, group profiles should not own objects. If a group profile owns an object, all group members hae *ALL authority to the object unless the group member is explicitly excluded. If you use adopted authority, consider whether the user profiles that own programs should also own application objects, such as files. You may not want the users who run the programs that adopt authority to hae *ALL authority to files. If you are using iseries Naigator, this can be accomplished by completing the changes using the security policies function. For more information, refer to the iseries Information Center (see Prerequisite and related information on page xii for details). Object authority to system commands and programs Following are seeral suggestions when you restrict authority to IBM-supplied objects: When you hae more than one national language on your system, your system has more than one system (QSYS) library. Your system has a QSYSxxxx library for each national language on your system. If you are using object authority to control access to system commands, remember to secure the command in the QSYS library and in eery QSYSxxx library on your system. The System/38 library sometimes proides a command with function that is equialent to the commands that you want to restrict. Be sure you restrict the equialent command in the QSYS38 library. If you hae the System/36 enironment, you may need to restrict additional programs. For example, the QY2FTML program proides System/36 file transfer. Chapter 6. Protect information assets with object authority 53

Audit security functions This chapter describes techniques for auditing the effectieness of security on your system. People audit their system security for seeral reasons: To ealuate whether the security plan is complete. To make sure that the planned security controls are in place and working. This type of auditing is usually performed by the security officer as part of daily security administration. It is also performed, sometimes in greater detail, as part of a periodic security reiew by internal or external auditors. To make sure that system security is keeping pace with changes to the system enironment. Some examples of changes that affect security are: New objects created by system users New users admitted to the system Change of object ownership (authorization not adjusted) Change of responsibilities (user group changed) Temporary authority (not timely reoked) New products installed To prepare for a future eent, such as installing a new application, moing to a higher security leel, or setting up a communications network. The techniques described in this chapter are appropriate for all these situations. Which things you audit and how often depends on the size and security needs of your organization. The purpose of this chapter is to discuss what information is aailable, how to obtain it, and why it is needed, rather than to gie guidelines for the frequency of audits. This information has three parts: A checklist of security items that can be planned and audited. Information about setting up and using the audit journal proided by the system. Other techniques that are aailable to gather security information on the system. Security auditing inoles using commands on the iseries system and accessing log and journal information on the system. You may want to create a special profile to be used by someone doing a security audit of your system. The auditor profile will need *AUDIT special authority to be able to change the audit characteristics of your system. Some of the auditing tasks suggested in this chapter require a user profile with *ALLOBJ and *SECADM special authority. Be sure that you set the password for the auditor profile to *NONE when the audit period has ended. For more details on security auditing see Chapter 9, of the Security Reference book. Analyze user profiles You can display or print a complete list of all the users on your system with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced by profile name or group profile name. Following is an example of the group profile sequence: 54 Tips and tools for securing your iseries serer V5R2

Display Authorized Users Password Group User Last No Profile Profile Changed Password Text DPTSM ANDERSOR 08/04/0x Roger Anders VINCENTM 09/15/0x Mark Vincent DPTWH ANDERSOR 08/04/0x Roger Anders WAGNERR 09/06/0x Rose Wagner QSECOFR JONESS 09/20/0x Sharon Jones HARRISOK 08/29/0x Ken Harrison *NO GROUP DPTSM 09/05/0x X Sales and Marketing DPTWH 08/13/0x X Warehouse RICHARDS 09/05/0x Janet Richards SMITHJ 09/18/0x John Smith Print selected user profiles You can use the Display User Profile (DSPUSRPRF) command to create an output file, which you can process using a query tool. DSPUSRPRF USRPRF(*ALL) + TYPE(*BASIC) OUTPUT(*OUTFILE) You can use a query tool to create a ariety of analysis reports of your output file, such as: A list of all users who hae both *ALLOBJ and *SPLCTL special authority. A list of all users sequenced by a user profile field, such as initial program or user class. You can create query programs to produce different reports from your output file. For example: List all user profiles that hae any special authorities by selecting records where the field UPSPAU is not equal to *NONE. List all users who are allowed to enter commands by selecting records where the Limit capabilities field (called UPLTCP in the model database outfile) is equal to *NO or *PARTIAL. List all users who hae a particular initial menu or initial program. List inactie users by looking at the date last sign-on field. Examine large user profiles User profiles with large numbers of authorities, appearing to be randomly spread oer most of the system, can reflect a lack of security planning. Following is one method for locating large user profiles and ealuating them: 1. Use the Display Object Description (DSPOBJD) command to create an output file containing information about all the user profiles on the system: DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + DETAIL(*BASIC) OUTPUT(*OUTFILE) 2. Create a query program to list the name and size of each user profile, in descending sequence by size. Chapter 6. Protect information assets with object authority 55

3. Print detailed information about the largest user profiles and ealuate the authorities and owned objects to see if they are appropriate: DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJAUT) OUTPUT(*PRINT) DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJOWN) OUTPUT(*PRINT) Some IBM-supplied user profiles are ery large because of the number of objects they own. Listing and analyzing them is usually not necessary. Howeer, you should check for programs adopting the authority of the IBM-supplied user profiles that hae *ALLOBJ special authority, such as QSECOFR and QSYS. For more details on security auditing see Chapter 9, of the Security Reference book. Analyze object authorities You can use the following method to determine who has authority to libraries on the system: 1. Use the DSPOBJD command to list all the libraries on the system: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) ASPDEV(*ALLAVL) OUTPUT(*PRINT) Note: Libraries in independent auxiliary storage pools that are not in AVAILABLE status will not be displayed by this command. 2. Use the Display Object Authority (DSPOBJAUT) command to list the authorities to a specific library: DSPOBJAUT OBJ(QSYS/library-name) OBJTYPE(*LIB) + ASPDEV(asp-deice-name) OUTPUT(*PRINT) 3. Use the Display Library (DSPLIB) command to list the objects in the library: DSPLIB LIB(QSYS/library-name) ASPDEV(asp-deice-name) OUTPUT(*PRINT) Using these reports, you can determine what is in a library and who has access to the library. If necessary, you can use the DSPOBJAUT command to iew the authority for selected objects in the library also. Check for altered objects You can use the Check Object Integrity (CHKOBJITG) command to look for objects that hae been altered. An altered object is usually an indication that someone is attempting to tamper with your system. You may want to run this command after someone has: Restored programs to your system Used dedicated serice tools (DST) When you run the command, the system creates a database file containing information about any potential integrity problems. You can check objects owned by one profile, seeral different profiles, or all profiles. You can look for objects whose domain has been altered. You can also recalculate program alidation alues to look for objects of type *PGM, *SRVPGM, *MODULE, and *SQLPKG that hae been altered. Running the CHKOBJITG program requires *AUDIT special authority. The command may take a long time to run because of the scans and calculations it performs. You should run it at a time when your system is not busy. 56 Tips and tools for securing your iseries serer V5R2

Note: Profiles that own many objects with many priate authorities can become ery large. The size of an owner profile affects performance when displaying and working with the authority to owned objects, and when saing or restoring profiles. System operations can also be impacted. To preent impacts to either performance or system operations, distribute ownership of objects to multiple profiles. Do not assign all (or nearly all) objects to only one owner profile. Analyze programs that adopt authority Programs that adopt the authority of a user with *ALLOBJ special authority represent a security exposure. The following method can be used to find and inspect those programs: 1. For each user with *ALLOBJ special authority, use the Display Programs That Adopt (DSPPGMADP) command to list the programs that adopt that user s authority: DSPPGMADP USRPRF(user-profile-name) + OUTPUT(*PRINT) Note: The topic Print selected user profiles on page 55 shows how to list users with *ALLOBJ authority. 2. Use the DSPOBJAUT command to determine who is authorized to use each adopting program and what the public authority is to the program: DSPOBJAUT OBJ(library-name/program-name) + OBJTYPE(*PGM) ASPDEV(library-name/program-name) + OUTPUT(*PRINT) 3. Inspect the source code and program description to ealuate: Whether the user of the program is preented from excess function, such as using a command line, while running under the adopted profile. Whether the program adopts the minimum authority leel needed for the intended function. Applications that use program failure can be designed using the same owner profile for objects and programs. When the authority of the program owner is adopted, the user has *ALL authority to application objects. In many cases, the owner profile does not need any special authorities. 4. Verify when the program was last changed, using the DSPOBJD command: DSPOBJD OBJ(library-name/program-name) + OBJTYPE(*PGM) ASPDEV(library-name/program-name) + DETAIL(*FULL) Manage the audit journal and journal receiers The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing. Objects should not be journaled to the audit journal. Commitment control should not use the audit journal. User entries should not be sent to this journal using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE) API. Special locking protection is used to ensure that the system can write audit entries to the audit journal. When auditing is actie (the QAUDCTL system alue is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal when auditing is actie, such as: DLTJRN command ENDJRNxxx command Chapter 6. Protect information assets with object authority 57

APYJRNCHG command RMVJRNCHG command DMPOBJ or DMPSYSOBJ command Moing the journal Restoring the journal Operations that work with authority, such as the GRTOBJAUT command WRKJRN command The information recorded in the security journal entries is described in Security Reference book. All security entries in the audit journal hae a journal code of T. In addition to security entries, system entries also appear in the journal QAUDJRN. These are entries with a journal code of J, which relate to initial program load (IPL) and general operations performed on journal receiers (for example, saing the receier). If damage occurs to the journal or to its current receier so that the auditing entries cannot be journaled, the QAUDENDACN system alue determines what action the system takes. Recoery from a damaged journal or journal receier is the same as for other journals. You may want to hae the system manage the changing of journal receiers. Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the journal to that alue. If you specify MNGRCV(*SYSTEM), the system automatically detaches the receier when it reaches its threshold size and creates and attaches a new journal receier. This is called System change-journal management. See the iseries Information Center >Systems management > Journal management >Local journal management >Manage journals for more information. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. 58 Tips and tools for securing your iseries serer V5R2

Chapter 7. Manage authority A set of security reports are aailable to help you keep track of how the authority is set up on your system. When you run these reports initially, you can print eerything (authority for all the files or for all the programs, for example). After you hae established your base of information, you can run the changed ersions of reports regularly. The changed ersions help you identify security-releant changes on your system that require your attention. For example, you can run the report that shows the public authority for files eery week. You can request only the changed ersion of the report. It will show you both new files on the system that are aailable to eeryone and existing files whose public authority has changed since the last report. Two menus are aailable to run security tools: Use the SECTOOLS menu for running programs interactiely. Use the SECBATCH menu for running programs in batch. The SECBATCH menu has two parts: one for submitting jobs to the job queue immediately, and the other for placing jobs on the job scheduler. If you are using iseries Naigator, follow these steps to run the seurity tools: 1. In iseries Naigator, expand your Serer >Security. 2. Right-click Policies and select Explore to display a list of policies you can create and manage. Monitor public authority to objects For both simplicity and performance, most systems are set up so that most objects are aailable to most users. Users are explicitly denied access to certain confidential, security-sensitie objects rather than haing to be explicitly authorized to use eery object. A few systems with high security requirements take the opposite approach and authorize objects on a need-to-know basis. On those systems, most objects are created with the public authority set to *EXCLUDE. iseries is an object-based system with many different types of objects. Most object types do not contain sensitie information or perform security-releant functions. As a security administrator on an iseries system with typical security needs, you probably want to focus your attention on objects that require protection, such as database files and programs. For other object types, you can just set public authority that is sufficient for your applications, which for most object types is *USE authority. You can use the Print Public Authority (PRTPUBAUT) command to print information about objects that public users can access. (A public user is anyone with sign-on authority who does not hae explicit authority to an object.) When you use the PRTPUBAUT command, you can specify the object types, and libraries or directories, that you want to examine. Options are aailable on the SECBATCH and SECTOOLS menus to print the Publicly Authorized Objects Report for the object types that most commonly hae security implications. You can print the changed ersion of this report regularly to see what objects might require your attention. Copyright IBM Corp. 1996, 2002 59

Manage authority for new objects Monitor authorization lists OS/400 proides functions to help you manage the authority and ownership for new objects on your system. When a user creates a new object, the system determines the following: Who will own the object What the public authority for the object is Whether the object has any priate authorities Where to put the object (what library or directory) Whether access to the object will be audited The system uses system alues, library parameters, and user profile parameters to make these decisions. Assigning Authority and Ownership to New Objects in chapter 5 of the iseries Security Reference book proides seeral examples of the options that are aailable. You can use the PRTUSRPRF command to print the user profile parameters that affect ownership and authority for new objects. Figure 5 on page 64 shows an example of this report. You can group objects with similar security requirements by using an authorization list. Conceptually, an authorization list contains a list of users and the authority that the users hae to the objects that are secured by the list. Authorization lists proide an efficient way to manage the authority to similar objects on the system. Howeer, in some cases, they make it difficult to keep track of authorities to objects. You can use the Print Priate Authority (PRTPVTAUT) command to print information about authorization list authorities. Figure 3 shows a sample of the report. Priate Authorities (Full Report) SYSTEM4 Authorization Primary List ----------Object----------- ------------Data------------ List Owner Group User Authority Mgt Opr Mgt Exist Alter Ref Read Add Upd Dlt Execute LIST1 QSECOFR *NONE *PUBLIC *EXCLUDE LIST2 BUDNIKR *NONE BUDNIKR *ALL X X X X X X X X X X X *PUBLIC *CHANGE X X X X X X LIST3 QSECOFR *NONE *PUBLIC *EXCLUDE LIST4 CJWLDR *NONE CJWLDR *ALL X X X X X X X X X X X GROUP1 *ALL X X X X X X X X X X *PUBLIC *EXCLUDE Figure 3. Priate Authorities Report for Authorization Lists This report shows the same information that you see on the Edit Authorization List (EDTAUTL) display. The adantage of the report is that it proides information about all authorization lists in one place. If you are setting up security for a new group of objects, for example, you can quickly scan the report to see if an existing authorization list meets your needs for those objects. You can print a changed ersion of the report to see new authorization lists or authorization lists with authority changes since you last printed the report. You also hae the option of printing a list of the objects that are secured by each authorization list. Figure 4 on page 61 shows an example of the report for one authorization list: 60 Tips and tools for securing your iseries serer V5R2

Display Authorization List Objects Authorization list........ : CUSTAUTL Library............ : QSYS Owner.............. : AROWNER Primary group.......... : *NONE Primary Object Library Type Owner group Text CUSTMAS CUSTLIB *FILE AROWNER *NONE CUSTORD CUSTORD *FILE OEOWNER *NONE Figure 4. Display authorization list objects report You can use this report, for example, to understand the effect of adding a new user to an authorization list (what authorities that user will receie). Use authorization lists iseries Naigator proides security features designed to assist you in deeloping a security plan and policy, and configure your system to meet your company s needs. One of the functions aailable is the use of authorization lists. Authorization lists hae the following features. An authorization list group objects with similar security requirements. An authorization list conceptually contains a list of users and groups and the authority each has to the objects secured by the list. Each user and group can hae a different authority to the set of object the list secures. Authority can be gien by way of the list, rather than to indiidual users and groups. Tasks that can be done using authorization lists include the following. Create an authorization list Change an authorization list. Add users and groups. Change user permissions. Display secured objects. To use this function, perform the following steps: 1. From iseries Naigator, expand your serer >Security. You will see Authorization Lists and Policies. 2. Right-click Authorization Lists and select New Authorization List. The New Authorization Listallows you to do the following. Use: Allows access to the object attributes and use of the object. The public may iew, but not change the objects. Change: Allows the contents of the object ( with some exceptions) to be changed. All: Allows all operations on the object, except those that are limited to the owner. The user or group can control the object s existence, specify the security for the object, change the object, and perform basic functions on the object. The user or group can also change ownership of the object. Exclude:All operations on the object are prohibited. No access or operations are allowed to the object for the users and groups haing this permission. Specifies the public is not allowed to use the object. Chapter 7. Manage authority 61

When working with authorization lists you will want to grant permissions for both objects and data. Object permissions you can choose are listed below. Operational: Proides the permission to look at the description of an object and use the object as determined by the data permission that the user or group has to the object. Management: Proides the permission to specify the security for the object, moe or rename the object, and add members to the database files. Existence: Proides the permission to control the object s existence and ownership. The user or group can delete the object, free storage of the object, perform sae and restore operations for the object, and transfer ownership of the object. If a user or group has special sae permission, the user or group does not need object existence permission. Alter (used only for database files and SQL packages): Proides the permission needed to alter the attributes of an object. If the user or group has this permission on a database file, the user or group can add and remoe triggers, add and remoe referential and unique constraints, and change the attributes of the database file. If the user or group has this permission on an SQL package, the user or group can change the attributes of the SQL package. This permission is currently used only for database files and SQL packages. Reference(used only for database files and SQL packages): Proides the permission needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user or group has this permission on a physical file, the user or group can add referential constraints in which the physical file is the parent. This permission is currently used only for database files. Data permissions you can choose are listed below. Read: Proides the permission needed to get and display the contents of the object, such as iewing records in a file. Add: Proides the permission to add entries to an object, such as adding messages to a message queue or adding records to a file. Update: Proides the permission to change the entries in an object, such as changing records in a file. Delete: Proides the permission to remoe entries from an object, such as remoing messages from a message queue or deleting records from a file. Execute: Proides the permission needed to run a program, serice program or SQL package. The user can also locate an object in a library or directory. For more information on each process as you are creating or editing your authorization lists, use the online help aailable in iseries Naigator. Accessing Policies in iseries Naigator You can use iseries Naigator to iew and manage policies for your iseries serer. iseries Naigator has fie policy areas: Audit policy This allows you to set up monitoring for specific actions and access to specific resources on your system. Security policy This allows you to specify the leel of security and additional options that relate to system security. Password policy This allows you to specify password leel for the system. Restore policy This allows you to specify how certain objects are restored on the system. 62 Tips and tools for securing your iseries serer V5R2

Sign-on policy This allows you to specify how user can sign-onto the system. To iew or change policies with iseries Naigator, follow these steps: 1. From iseries Naigator, expand your serer >Security. 2. Right-click Policies and select Explore to display a list of policies that you can create and manage. See iseries Naigator help for specifics on these policies. Monitor priate authority to objects SECBATCH menu options: 12 to submit immediately 41 to use the job scheduler You can use the Print Priate Authority (PRTPVTAUT) command to print a list of all the priate authorities for objects of a specified type in a specified library. You can use this report to help you detect new authorities to objects. It can also help you keep your priate authority scheme from becoming conoluted and unmanageable. Monitor access to output and job queues Sometimes a security administrator does a great job of protecting access to files and then forgets about what happens when the contents of a file are printed. iseries serers proide functions for you to protect sensitie output queues and job queues. You protect an output queue so that unauthorized users cannot, for example, iew or copy confidential spooled files that are waiting to print. You protect job queues so that an unauthorized user cannot either redirect a confidential job to a nonconfidential output queue or cancel the job entirely. SECBATCH menu options: 24 to submit immediately 63 to use the job scheduler The Basic system security and planning in the Information Center and iseries Security Reference books describe how to protect your output queues and job queues. You can use the Print Queue Authority (PRTQAUT) command to print the security settings for the job queues and output queues on your system. You can then ealuate printing jobs that print confidential information and ensure that they are going to output queues and job queues that are protected. For output queues and job queues that you consider to be security-sensitie, you can compare your security settings to the information in Appendix D of the iseries Security Reference book. The tables in Appendix D tell what settings are required to perform different output queue and job queue functions. Chapter 7. Manage authority 63

Monitor special authorities When users on your system hae unnecessary special authorities, your efforts to deelop a good object-authority scheme may be wasted. Object authority is meaningless when a user profile has *ALLOBJ special authority. A user with *SPLCTL special authority can see any spooled file on the system, no matter what efforts you make to secure your output queues. A user with *JOBCTL special authority can affect system operations and redirect jobs. A user with *SERVICE special authority may be able to use serice tools to access data without going through the operating system. SECBATCH menu options: 29 to submit immediately 68 to use the job scheduler You can use the Print User Profile (PRTUSRPRF) command to print information about the special authorities and user classes for user profiles on your system. When you run the report, you hae seeral options: All user profiles User profiles with specific special authorities User profiles that hae specific user classes User profiles with a mismatch between user class and special authorities. Figure 5 shows an example of the report that shows the special authorities for all user profiles: L User Profile Information Report type......... : *AUTINFO Select by.......... : *SPCAUT Special authorities..... : *AL -------------Special Authorities------------- *IO Group User Group *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User Group Authority Limited Profile Profiles OBJ IT CFG CTLSYS ADM VICE CTLClass Owner Authority Type Capability USERA *NONE X X X X X X X X *SECOFR *USRPRF *NONE *PRIVATE *NO USERB *NONE X X *PGMR *USRPRF *NONE *PRIVATE *NO USERC *NONE X X X X X X X X *SECOFR *USRPRF *NONE *PRIVATE *NO USERD *NONE *USER *USRPRF *NONE *PRIVATE *NO Figure 5. User information report: Example 1 In addition to the special authorities, the report shows the following: Whether the user profile has limited capability. Whether the user or the user s group owns new objects that the user creates. What authority the user s group automatically receies to new objects that the user creates. Figure 6 on page 65 shows an example of the report for mismatched special authorities and user classes: 64 Tips and tools for securing your iseries serer V5R2

User Profile Information Report type......... : *AUTINFO Select by.......... : *MISMATCH --------------------------------Special Authorities------------- *IO Group User Group *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User Group Authority Limited Profile Profiles OBJ IT CFG CTLSYS ADM VICE CTLClass Owner Authority Type Capability USERX *NONE X X X X *SYSOPR *USRPRF *NONE *PRIVATE *NO USERY *NONE X *USER *USRPRF *NONE *PRIVATE *NO USERZ X *USER *USRPRF *NONE *PRIVATE *NO QPGMR X X Figure 6. User information report: Example 2 Monitor user enironments In Figure 6, notice the following: USERX has a system operator (*SYSOPR) user class but has *ALLOBJ and *SPLCTL special authorities. USERY has a user (*USER) user class but has *SECADM special authority. USERZ also has a user (*USER) class and *SECADM special authority. You can also see that USERZ is a member of the QPGMR group, which has *JOBCTL and *SAVSYS special authorities. You can run these reports regularly to help you monitor the administration of user profiles. One role of the user profile is to define the enironment for the user, including the output queue, the initial menu, and the job description. The user s enironment affects how the user sees the system and, to some extent, what the user is allowed to do. The user must hae authority to the objects that are specified in the user profile. Howeer, if your authority scheme is still in progress or is not ery restrictie, the user enironment that is defined in a user profile may produce results that you do not intend. Following are seeral examples: SECBATCH menu options: 29 to submit immediately 68 to use the job scheduler The user s job description may specify a user profile that has more authority than the user. The user may hae an initial menu that does not hae a command line. Howeer, the user s attention-key-handling program may proide a command line. The user may be authorized to run confidential reports. Howeer, the user s output may be directed to an output queue that is aailable to users who should not see the reports. You can use the *ENVINFO option of the Print User Profile (PRTUSRPRF) command to help you monitor the enironments that are defined for system users. Figure 7 on page 66 shows an example of the report: Chapter 7. Manage authority 65

User Profile Information Report type...: *ENVINFO Select by...: *USRCLS Initial Initial Job Message Output Attention User Current Menu/ Program/ Description/ Queue/ Queue/ Program/ Profile Library Library Library Library Library Library Library AUDSECOFR AUDITOR MAIN *NONE QDFTJOBD QSYSOPR *WRKSTN *SYSVAL *LIBL QGPL QSYS USERA *CRTDFT OEMENU *NONE QDFTJOBD USERA *WRKSTN *SYSVAL *LIBL QGPL QUSRSYS USERB *CRTDFT INVMENU *NONE QDFTJOBD USERB *WRKSTN *SYSVAL *LIBL QGPL QUSRSYS USERC *CRTDFT PAYROLL *NONE QDFTJOBD USERC PAYROLL *SYSVAL *LIBL QGPL QUSRSYS PRPGMLIB Figure 7. Print user profile-user enironment example Manage serice tools Serice tools are used to configure, manage, and serice your serer. Serice tools can be accessed from dedicated serice tools (DST) or system serice tools (SST). Serice tools user IDs are required to access DST, SST, and to use iseries Naigator functions for logical partition (LPAR) management and disk unit management. DST is aailable when the Licensed Internal Code has been started, een if OS/400 has not been loaded. SST is aailable from OS/400. The following table outlines the basic differences between DST and SST. Characteristic DST SST How to access Physical access through console during a manual IPL or by selecting option 21 on the control panel. When aailable How to authenticate Aailable een when the serer has limited capabilities. OS/400 is not required to access DST. Requires serice tools user ID and password. Access through interactie job with the ability to sign on with QSRV or the following authorizations: Authorized to STRSST (Start SST) CL command. Serice special authority (*SERVICE) or all object special authority (*ALLOBJ). Functional priilege to use SST. Aailable when OS/400 has been started. OS/400 is required to access SST. Requires serice tools user ID and password. See the iseries Information Center >Security >Serice tools for information about using the Serice tools to perform the following tasks: Access serice tools with DST Access serice tools with SST Access serice tools with iseries Naigator Create a serice tools user ID Change the functional priileges for a serice tools user ID Change the description for a serice tools user ID 66 Tips and tools for securing your iseries serer V5R2

Display a serice tools user ID Enable or disable a serice tools user ID Delete a serice tools user ID Change serice tools user IDs and passwords using SST or DST Change your serice tools user ID password using STRSST Change serice tools user IDs and passwords using Change Serice Tools User ID (QSYCHGDS) API Reset the QSECOFR OS/400 user profile password Reset the QSECOFR serice tools user ID and password Sae serice tools security data Restore serice tools security data Create your own ersion of the QSECOFR serice tools user ID Configure the serice tools serer for DST Configure the serice tools serer for OS/400 Monitor serice function use through DST Monitor serice tools use through OS/400 security audit log See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Chapter 7. Manage authority 67

68 Tips and tools for securing your iseries serer V5R2

Chapter 8. Use logical partitions security (LPAR) Haing multiple logical partitions on a single iseries serer could proe beneficial in the following scenarios. Maintain independent systems: Dedicating a portion of the resources (disk storage unit, processors, memory, and I/O deices) to a partition achiees logical isolation of software. Logical partitions also hae some hardware fault tolerance if configured properly. Interactie and batch workloads which may not run well together on a single machine can be isolated and run efficiently in separate partitions. Consolidation : A logically partitioned system can reduce the number of iseries serer systems that are needed within an enterprise. You can consolidate seeral systems into a single logically partitioned system. This eliminates the need for, and expense of, additional equipment. You can shift resources from one logical partition to another as needs change. Create a mixed production and test enironment: You can create a combination production and test enironment. You can create a single production partition in the primary partition. For multiple production partitions, see Creating a Multiple Production Partition Enironment below. A logical partition is either a test or production partition. A production partition runs the your main business applications. A failure in a production partition could significantly hinder business operations and cost the you time and money. A test partition tests software. A failure in a test partition, while not necessarily planned, will not disrupt normal business operations. Create a multiple production partition enironment: You should create multiple production partitions only in your secondary partitions. In this situation, you dedicate the primary partition to partition management. Hot backup: When a secondary partition replicates to another logical partition within the same system, switching to the backup during partition failure would cause minimal inconenience. This configuration also minimizes the effect of long sae windows. You can take the backup partition off line and sae, while the other logical partition continues to perform production work. You will need special software to use this hot backup strategy. Integrated cluster: Using OptiConnect/400, and high aailability application software, your partitioned system can run as an integrated cluster. You can use an integrated cluster to protect your system from most unscheduled failures within a secondary partition. Note: When setting up a secondary partition, additional considerations for card locations need to be made. If the Input/Output Processor (IOP) you select for the console also has a LAN card and the LAN card is not intended for use with Operations Console, it will be actiated for use by the console and you may not be able to use it for your intended purposes. For more information on working with Operations Console, see Chapter 9, iseries Operations Console on page 71. Refer to Logical Partitions in the iseries Information Center for more detailed information on this topic. Copyright IBM Corp. 1996, 2002 69

Manage security for logical partitions The security-related tasks you perform on a partitioned system are the same as on a system without logical partitions. Howeer, when you create logical partitions, you work with more than one independent system. Therefore you will hae to perform the same tasks on each logical partition instead of just once on a system without logical partitions. Here are some basic rules to remember when dealing with security on logical partitions: You add users to the system one logical partition at a time. You need to add users to each logical partition you want them to access. Limit the number of people who hae authority to go to dedicated serice tools (DST) and system serice tools (SST) on the primary partition. Refer to the Managing logical partitions with Operations Naigator along with DST and SST topic in the iseries Information Center for more information on DST and SST. Refer to Manage serice tools on page 66 for information on using serice tool user profiles to control access to partition actiities. Note: You must initialize the Serice Tools Serer (STS) before using Operations Naigator to access LPAR functions. See the iseries Information Center >Security >Serice tools for related information. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Secondary partitions cannot see or use main storage and disk units of another logical partition. Secondary partitions can only see their own hardware resources. The primary partition can see all system hardware resources in the Work with System Partitions displays of DST and SST. The primary partition operating system still only sees its resources aailable. The system control panel controls the primary partition. When you set the panel mode to Secure, no actions can be performed on the Work with Partition Status display from SST. To force DST from the system control panel, you must change the mode to Manual. When you set the operating mode of a secondary partition to secure, you restrict the usage of its Work with Partition Status in these ways: You can only use DST on the secondary partition to change partition status; you cannot use SST to change partition status. You can only force DST on the secondary partition from the primary partition Work with Partition Status display using either DST or SST. You can only use DST on the primary partition to change a secondary partition mode from secure to any other alue. Once a secondary partition s mode is no longer secure, you can use both DST and SST on the secondary partition to change partition status. For more information on security on your iseries serer, refer to the Security Reference book and the Basic system security and planning pages of the iseries Information Center. 70 Tips and tools for securing your iseries serer V5R2

Chapter 9. iseries Operations Console Operations Console allows you to use your PC to access and control your iseries serer. Operations Console includes support for remote PC dial-in to a iseries serers without console deices, allowing remote PCs to become the consoles. When you use Operations Console, note the following: You can do any tasks that you could do from a traditional console from Operations Console. For example, user profiles that hae *SERVICE or *ALLOBJ special authority are able to sign on to the Operations Console session, een if they are disabled. Operations Console uses Serice Tools User Profiles and passwords to enable the connection to the iseries serer. This makes it especially important to change your Serice Tools User Profiles and passwords. Hackers are likely to be familiar with the default Serice Tools User Profiles userids and passwords, and could use them to attempt a remote console session to your iseries serer. See Change known passwords on page 25 and Aoid default passwords on page 30 for tips on passwords. To protect your information when using the Remote Console, use the call back option of Windows Dial-Up Networking. When setting up a secondary partition, additional considerations for card locations need to be made. If the Input/Output Processor (IOP) you select for the console also has a LAN card and the LAN card is not intended for use with Operations Console, it will be actiated for use by the console and you may not be able to use it for your intended purposes. In V5R1, Operations Console was enhanced to enable console actiities to be performed across a local area network (LAN). Enhanced authentication and data encryption proide network security for console procedures. To use Operations Console with LAN connectiity, you are strongly encouraged to install the following products: Cryptographic Access Proider, 5722 AC2 or 5722 AC3 on your iseries serer Client Encryption, 5722 CE2 or 5722 CE3 on your Operations Console PC In order for the console data to be encrypted, the iseries serer must hae one of the Cryptographic Access Proider products installed and the PC must hae one of the Client Encryption products installed. Note: If no cryptographic products are installed, there won t be any data encryption. The table below summarizes the encryption results of the aailable products: Table 13. Encryption results Cryptographic Access Proider on your iseries serer Client Encryption on your Operations Console PC Resulting Data Encryption None None None 5722 AC2 5722 CE2 56 bit 5722 AC2 5722 CE3 56 bit 5722 AC3 5722 CE2 56 bit Copyright IBM Corp. 1996, 2002 71

Table 13. Encryption results (continued) Cryptographic Access Proider on your iseries serer Client Encryption on your Operations Console PC Resulting Data Encryption 5722 AC3 5722 CE3 128 bit For additional information about setting up and administering iseries Operations Console, see the iseries Information Center. Operations Console security oeriew Operations Console security consists of: console deice authentication user authentication data priacy data integrity Operations Console with direct connectiity has implicit deice authentication, data priacy, and data integrity due to its point-to-point connection. User authentication security is required to sign on to the console display. Console deice authentication Console deice authentication assures which physical deice is the console. Operations Console with direct connectiity uses a physical connection similar to a twinaxial console. Operations Console using a direct connection may be physically secured similar to a twinaxial connection to control access to the physical console deice. Operations Console with LAN connectiity uses a ersion of secure sockets layer (SSL) which supports deice and user authentication but without using certificates. For this form of connection, deice authentication is based on a serice tools deice profile. Refer to 73 for more details. User authentication User authentication proides assurance about who is using the console deice. All issues related to user authentication are the same regardless of console type. Data priacy Data priacy proides confidence that the console data can only be read by the intended recipient. Operations Console with direct connectiity uses a physical connection similar to a twinaxial console or secure network connection for LAN connectiity to protect console data. Operations Console using a direct connection has the same data priacy of a twinaxial connection. If the physical connection is secure, the console data remains protected. Operations Console with LAN connectiity uses a secure network connection if the appropriate cryptographic products are installed (ACx and CEx). The console session uses the strongest encryption possible depending on the cryptographic products installed on the iseries serer and the PC running Operations Console. Note: If no cryptographic products are installed, there will not be any data encryption. 72 Tips and tools for securing your iseries serer V5R2

Data integrity Data integrity proides confidence that the console data has not changed en route to the recipient. Operations Console with direct connectiity uses a physical connection similar to a twinaxial console or secure network connection for LAN connectiity to protect console data. Operations Console using a direct connection has the same data integrity of a twinaxial connection. If the physical connection is secure, the console data remains protected. Operations Console with LAN connectiity uses a secure network connection if the appropriate cryptographic products are installed (ACx and CEx). The console session uses the strongest encryption possible depending on the cryptographic products installed on the iseries serer and the PC running Operations Console. Note: If no cryptographic products are installed, there will not be any data encryption. Use Operations Console with LAN connectiity Note: Any Operations Console deice can be a console, but only LAN-based configurations use the serice tool user profile. The iseries serer is shipped with a default serice tools deice profile of QCONSOLE with a default password of QCONSOLE. Operations Console with LAN connectiity will change the password during each successful connection. See Use the Operations Console setup wizard for more information. For additional information about iseries Operations Console with LAN connectiity, refer to the topic, Configure Operations Console with LAN Connectiity, in the Information Center. Protect Operations Console with LAN connectiity When using Operations Console with LAN connectiity, the items below are recommended: Create another serice tools deice profile with console attributes and store the profile information in a safe place. Install Cryptographic Access Proider, 5722 AC2 or 5722 AC3 on your iseries serer and Client Encryption, 5722 CE2 or 5722 CE3 on your Operations Console PC. Choose a non-triial serice deice information password. Protect the Operations Console PC in the same manner you would protect a twinaxial console or an Operations Console with direct connectiity. Use the Operations Console setup wizard The setup wizard will add the necessary information to the PC when using Operations Console with LAN connectiity. The setup wizard asks for the serice tools deice profile, the serice tools deice profile password, and a password to protect the serice tools deice profile information. Note: The serice tools deice profile information password is used to lock and unlock the serice tools deice profile information (serice tools deice profile and password) on the PC. Chapter 9. iseries Operations Console 73

When establishing a network connection, the Operations Console setup wizard will prompt you for the serice deice information password to access the encrypted serice tools deice profile and password. You will also be prompted for a alid serice tools user identification and password. 74 Tips and tools for securing your iseries serer V5R2

Chapter 10. Detect suspicious programs Recent trends in computer usage hae increased the likelihood that your system has programs from untrusted sources or programs that perform unknown functions. Following are examples: A personal computer user sometimes obtains programs from other PC users. If the PC is attached to your iseries system, that program can affect your iseries serer. Users who connect to networks can also obtain programs, for example from bulletin boards. Hackers hae become more actie and renowned. They often publish their methods and their results. This can lead to imitation by normally law-abiding programmers. These trends hae led to a problem in computer security that is called a computer irus. A irus is a program that can change other programs to include a copy of itself. The other programs are then said to be infected by the irus. Additionally, the irus can perform other operations that can take up system resources or destroy data. The architecture of the iseries serer proides some protection from the infectious characteristics of a computer irus. Protect against computer iruses describes this. An iseries serer security administrator needs to be more concerned about programs that perform unauthorized functions. The remaining topics in this chapter describe ways that someone with ill intentions might set up harmful programs to run on your system. The topics proide tips for preenting programs from performing unauthorized functions. Security tip Object authority is always your first line of defense. If you do not hae a good plan for protecting your objects, your system is defenseless. This information discusses ways that an authorized user might try to take adantage of loop-holes in your object authority scheme. Protect against computer iruses A computer that has a irus infection has a program that can change other programs. The object-based architecture of iseries makes it more difficult for a mischief-maker to produce and spread this type of irus than it is with other computer architectures. On the iseries serer, you use specific commands and instructions to work on each type of object. You cannot use a file instruction to change an operable program object (which is what most irus-creators do). Nor can you easily create a program that changes another program object. To do this requires considerable time, effort, and expertise, and it requires access to tools and documentation that are not generally aailable. Howeer, as new iseries serer functions become aailable to participate in the open-systems enironment, some of the object-based protection functions of iseries serers no longer apply. For example, with the integrated file system (IFS), users can directly manipulate some objects in directories, such as stream files. Copyright IBM Corp. 1996, 2002 75

Also, although iseries serer architecture makes it difficult for a irus to spread among iseries serer programs, its architecture does not preent the iseries serer from being a irus-carrier. As a file serer, the iseries serer can store programs that many PC users share. Any one of these programs might contain a irus that the iseries serer does not detect. To preent this type of irus from infecting the PCs that are attached to your iseries serer, you must use PC irus-scan software. Seeral functions exist on the iseries serer to preent someone from using a low-leel language with pointer capability to alter an operable object program: If your system runs at security leel 40 or higher, the integrity protection includes protections against changing program objects. For example, you cannot successfully run a program that contains blocked (protected) machine instructions. The program alidation alue is also intended to protect you when you restore a program that was saed (and potentially changed) on another system. Chapter 2 in the iseries Security Reference book describes the integrity protection functions for security leel 40 and higher, including program alidation alues. Note: The program alidation alue is not foolproof, and it is not a replacement for igilance in ealuating programs that are restored to your system. Seeral tools are also aailable to help you detect the introduction of an altered program into your system: You can use the Check Object Integrity (CHKOBJITG) command to scan objects (operable objects) that meet your search alues to ensure that those objects hae not been altered. This is similar to a irus-scan function. You can use the security auditing function to monitor programs that are changed or restored. The *PGMFAIL, *SAVRST, and *SECURITY alues for the authority leel system alue proide audit records that can help you detect attempts to introduce a irus-type program into your system. Chapter 9 and Appendix F in the iseries Security Reference book proide more information about audit alues and the audit journal entries. You can use the force create (FRCCRT) parameter of the Change Program (CHGPGM) command to re-create any program that has been restored to your system. The system uses the program template to re-create the program. If the program object has been changed after it was compiled, the system re-creates the changed object and replaces it. If the program template contains blocked (protected) instructions, the system will not re-create the program successfully. You can use the QFRCCVNRST (force conersion on restore) system alue to recreate any program as it restored to your system. The system uses the program template to recreate the program. This system alue proides seeral choices on which programs to recreate. You can use the QVFYOBJRST (erify objects on restore) system alue to preent the restore of programs that do not hae a digital signature or do not hae a alid digital signature. When a digital signature is not alid, it means the program has been changed since it was signed by its deeloper. APIs exist that allow you to sign your own programs, sae files, and stream files. For more information on signing and how it can be used to protect your system from attack, see Object signing on page 86. 76 Tips and tools for securing your iseries serer V5R2

Monitor usage of adopted authority On an iseries serer, you can create a program that adopts the authority of the owner of the program. This means that any user who runs the program has the same authorities (priate authorities and special authorities) as the user profile that owns the program. Adopted authority is a aluable security tool when it is used correctly. Enhance menu access control with object security on page 50, for example, describes how to combine adopted authority and menus to help you expand beyond menu access control. You can use adopted authority to protect your important files from being changed outside of your approed application programs while you still allow queries against the files. As security administrator, you should make sure that adopted authority is used properly: Programs should adopt the authority of a user profile that has only enough authority to do the necessary functions, not excessie authority. You should be particularly cautious of programs that adopt the authority of a user profile that either has *ALLOBJ special authority or owns important objects. Programs that adopt authority should hae a specific, limited function and should not proide command-entry capability. Programs that adopt authority should be secured properly. Excessie use of adopted authority may hae a negatie impact on your system performance. To help you aoid performance problems, reiew the authority-checking flowcharts and the suggestions for using adopted authority in Chapter 5 of the iseries Security Reference book. SECBATCH menu options: 1 to submit immediately 40 to use the job scheduler You can use the Print Adopting Objects (PRTADPOBJ) command (option 21 on the SECTOOLS menu) to help you monitor the use of adopted authority on your system. The report displays special authorities of the specified user profile, programs that adopt the user profile s authority, as well as ASP deices that use the profile s authorities. After you hae established a base of information, you can print the changed ersion of the adopted objects report regularly. It lists new programs that adopt authority and programs that hae been changed to adopt authority since you last ran the report. If you suspect that adopted authority is being misused on your system, you can set the QAUDLVL system alue to include *PGMADP. When this alue is actie, the system creates an audit journal entry wheneer someone starts or ends a program that adopts authority. The entry includes the name of the user who started the program and the name of the program. Limit the use of adopted authority When an iseries program runs, the program can use adopted authority to gain access to objects in two different ways: Chapter 10. Detect suspicious programs 77

The program itself can adopt the authority of its owner. This is specified in the user profile (USRPRF) parameter of the program or serice program. The program can use (inherit) adopted authority from a preious program that is still in the job s call stack. A program can inherit the adopted authority from preious programs een if the program itself does not adopt authority. The use adopted authority (USEADPAUT) parameter of a program or a serice program controls whether the program inherits adopted authority from preious programs in the program stack. Following is an example of how using adopted authority from preious programs works. Assume that the ICOWNER user profile has *CHANGE authority to the ITEM file and that the public authority to the ITEM file is *USE. No other user profiles hae any explicitly defined authority to the ITEM file. Table 14 shows the attributes for three programs that use the ITEM file: Table 14. Use Adopted Authority (USEADPAUT) Example Program Name Program Owner USRPRF Value USEADPAUT Value PGMA ICOWNER *OWNER *YES PGMB ICOWNER *USER *YES PGMC ICOWNER *USER *NO Example 1 Adopting Authority: 1. USERA runs the PGMA program. 2. The PGMA program attempts to open the ITEM file with update capability. Result: Attempt is successful. USERA has *CHANGE access to the ITEM file because PGMA adopts ICOWNER s authority. Example 2 Using Adopted Authority: 1. USERA runs the PGMA program. 2. The PGMA program calls the PGMB program. 3. The PGMB program attempts to open the ITEM file with update capability. Result: Attempt is successful. Although the PGMB program does not adopt authority (*USRPRF is *USER), it allows the use of preious adopted authority (*USEADPAUT is *YES). The PGMA program is still in the program stack. Therefore, USERA gets *CHANGE access to the ITEM file because PGMA adopts ICOWNER s authority. Example 3 Not Using Adopted Authority: 1. USERA runs the PGMA program. 2. The PGMA program calls the PGMC program. 3. The PGMC program attempts to open the ITEM file with update capability. Result: Authority failure. The PGMC program does not adopt authority. The PGMC program also does not allow the use of adopted authority from preious programs. Although PGMA is still in the call stack, its adopted authority is not used. Preent new programs from using adopted authority The passing of adopted authority to later programs in the stack proides an opportunity for a knowledgeable programmer to create a Trojan horse program. 78 Tips and tools for securing your iseries serer V5R2

The Trojan horse program can rely on preious programs in the stack to get the authority that it needs to perform mischief. To preent this, you can limit which users are allowed to create programs that use the adopted authority of preious programs. When you create a new program, the system automatically sets the USEADPAUT parameter to *YES. If you do not want the program to inherit adopted authority, you must use the Change Program (CHGPGM) command or the Change Serice Program (CHGSRVPGM) to set the USEADPAUT parameter to *NO. You can use an authorization list and the use adopted authority (QUSEADPAUT) system alue to control who can create programs that inherit adopted authority. When you specify an authorization list name in the QUSEADPAUT system alue, the system uses this authorization list to determine how to create new programs. When a user creates a program or serice program, the system checks the user s authority to the authorization list. If the user has *USE authority, the USEADPAUT parameter for the new program is set to *YES. If the user does not hae *USE authority, the USEADPAUT parameter is set to *NO. The user s authority to the authorization list cannot come from adopted authority. The authorization list that you specify in the QUSEADPAUT system alue also controls whether a user can use a CHGxxx command to set the USEADPAUT alue for a program or a serice program. Notes: 1. You do not need to call your authorization list QUESADPAUT. You can create an authority list with a different name. Then specify that authorization list for the QUSEADPAUT system alue. In the commands in this example, substitute the name of your authorization list. 2. The QUSEADPAUT system alue does not affect existing programs on your system. Use the CGHPGM command or the CHGSRVPGM command to set the USEADPAUT parameter for existing programs. More Restrictie Enironment: If you want most users to create new programs with the USEADPAUT parameter set to *NO, do the following: 1. To set the public authority for the authorization list to *EXCLUDE, type the following: CHGAUTLE AUTL(QUSEADPAUT) USER(*PUBLIC) AUT(*EXCLUDE) 2. To set up specific users to create programs that use the adopted authority of preious programs, type the following: ADDAUTLE AUTL(QUSEADPAUT) USER(user-name) AUT(*USE) Less Restrictie Enironment: If you want most users to create new programs with the USEADPAUT parameter set to *YES, do the following: 1. Leae the public authority for the authorization list set to *USE. 2. To preent specific users from creating programs that use the adopted authority of preious programs, type the following: ADDAUTLE AUTL(QUSEADPAUT) USER(user-name) AUT(*EXCLUDE) Chapter 10. Detect suspicious programs 79

Monitor usage of trigger programs DB2 UDB proides the capability to associate trigger programs with database files. Trigger-program capability is common across the industry for high-function database managers. When you associate a trigger program with a database file, you specify when the trigger program runs. For example, you can set up the customer order file to run a trigger program wheneer a new record is added to the file. When the customer s outstanding balance exceeds the credit limit, the trigger program can print a warning letter to the customer and send a message to the credit manager. Trigger programs are a productie way both to proide application functions and to manage information. Trigger programs also proide the ability for someone with deious intentions to create a Trojan horse on your system. A destructie program may be sitting and waiting to run when a certain eent occurs in a database file on your system. Note: In history, the Trojan horse was a large hollow wooden horse that was filled with Greek soldiers. After the horse was introduced within the walls of Troy, the soldiers climbed out of the horse and fought the Trojans. In the computer world, a program that hides destructie functions is often called a Trojan horse. SECBATCH menu options: 27 to submit immediately 66 to use the job scheduler When your system ships, the ability to add a trigger program to a database file is restricted. If you are managing object authority carefully, the typical user will not hae sufficient authority to add a trigger program to a database file. (Appendix D in the iseries Security Reference book tells the authority that is required or all commands, including the Add Physical File Trigger (ADDPFTRG) command. You can use the Print Trigger Programs (PRTTRGPGM) command to print a list of all the trigger programs in a specific library or in all libraries. You can use the initial report as a base to ealuate any trigger programs that already exist on your system. Then, you can print the changed report regularly to see whether new trigger programs hae been added to your system. When you ealuate trigger programs, consider the following: Who created the trigger program? You can use the Display Object Description (DSPOBJD) command to determine this. What does the program do? You will hae to look at the source program or talk to the program creator to determine this. For example, does the trigger program check to see who the user is? Perhaps the trigger program is waiting for a particular user (QSECOFR) in order to gain access to system resources. After you hae established a base of information, you can print the changed report regularly to monitor new trigger programs that hae been added to your system. 80 Tips and tools for securing your iseries serer V5R2

Check for hidden programs Trigger programs are not the only possible way to introduce a Trojan horse into your system. Trigger programs are an example of an exit program. When a certain eent occurs, such as a file update in the case of a trigger program, the system runs the exit program that is associated with that eent. Table 15 describes other examples of exit programs that might be on your system. You should use the same methods for ealuating the use and content of these exit programs that you use for trigger programs. Note: Table 15 is not a complete list of possible exit programs.. Table 15. System-Proided Exit Programs Program name When the program runs User-specified name on the DDMACC When a user attempts to open a DDM file on your system or makes a network attribute. DRDA connection. User-specified name on the PCSACC When a user attempts to use Client Access functions using the Original network attribute. Clients to access objects on your system. User-specified name on the When a user runs the Change Password function. QPWDVLDPGM system alue User-specified name on the QRMTSIGN When a user attempts to sign on interactiely from a remote system. system alue. QSYS/QEZUSRCLNP When the automatic cleanup function runs. User-specified name on the EXITPGM When you use the Operation Assistant backup function. parameter of the CHGBCKUP command. User-specified names on the Before and after you sae, restore, or delete the product that was created CRTPRDLOD command. with the command. User-specified name on the DFTPGM If a default program is specified for a message, the system runs the parameter of the CHGMSGD command. program when the message is issued. Because of the large number of message descriptions on a typical system, the use of default programs is difficult to monitor. To preent public users from adding default programs for messages, consider setting the public authority for message files (*MSGF objects) to *USE. User-specified name on the FKEYPGM parameter of the STREML3270 command. User-specified name on the EXITPGM parameter of the performance monitor commands User-specified name on the EXITPGM parameter of the RCVJRNE command. User-specified name on the QTNADDCR API. User-specified names on the QHFRGFS API. User-specified name on the SEPPGM parameter of a printer deice description QGPL/QUSCLSXT When the user presses a function key during the 3270 deice emulation session. The system returns control to the 3270 deice emulation session when the exit program ends. To process data that is collected by the following commands: STRPFRMON, ENDPFRMON, ADDPFRCOL, and CHGPFRCOL. The program runs when data collection ends. For each journal entry or group of journal entries that it reads from the specified journal and journal receiers. During a COMMIT or ROLLBACK operation. To perform the file system functions. To determine what to print on the separator page before or after a spooled file or a print job. When a database file is closed to allow the capture of file usage information. Chapter 10. Detect suspicious programs 81

Table 15. System-Proided Exit Programs (continued) Program name When the program runs User-specified name on the FMTSLR parameter of a logical file. User-specified name that is specified in the QATNPGM system alue, the ATNPGM parameter in a user profile, or the PGM parameter of the SETATNPGM command. User-specified name on the EXITPGM parameter of the TRCJOB command. When a record is written to the database file and a record format name is not included in the high-leel language program. The selector program receies the record as input, determines the record format used, and returns it to the database. When a user presses the Attention key. Before starting the Trace Job procedure. For commands that allow you to specify an exit program, you should ensure that the command default has not been changed to specify an exit program. You should also ensure that the public authority for these commands is not sufficient to change the command default. The CHGCMDDFT command requires *OBJMGT authority to the command. You do not need *OBJMGT authority to run a command. Ealuate registered exit programs You can use the system registration function to register exit programs that should be run when certain eents occur. To list the registration information on your system, type WRKREGINF OUTPUT(*PRINT). Figure 8 shows an example of the report: Work with Registration Information Exit point.............. : QIBM_QGW_NJEOUTBOUND Exit point format.......... : NJEO0100 Exit point registered........ : *YES Allow deregister........... : *YES Maximum number of exit programs... : *NOMAX Current number of exit programs... : 0 Preprocessing for add........ : *NONE Library.............. : Format............... : Preprocessing for remoe....... : *NONE Library.............. : Format............... : Preprocessing for retriee...... : *NONE Library.............. : Figure 8. Work with Registration Information-Example For each exit point on the system, the report shows whether any exit programs are currently registered. When an exit point has programs that are currently registered, you can select option 8 (Display programs) from the display ersion of WRKREGINF to display information about the programs: 82 Tips and tools for securing your iseries serer V5R2

Work with Registration Information Type options, press Enter. 5=Display exit point 8=Work with exit programs Exit Exit Point Opt Point Format Registered Text QIBM_QGW_NJEOUTBOUND NJEO0100 *YES Network Job Entry outbound ex 8 QIBM_QHQ_DTAQ DTAQ0100 *YES Original Data Queue Serer QIBM_QLZP_LICENSE LICM0100 *YES Original License Mgmt Serer QIBM_QMF_MESSAGE MESS0100 *YES Original Message Serer QIBM_QNPS_ENTRY ENTR0100 *YES Network Print Serer - entry QIBM_QNPS_SPLF SPLF0100 *YES Network Print Serer - spool QIBM_QNS_CRADDACT ADDA0100 *YES Add CRQ description actiity QIBM_QNS_CRCHGACT CHGA0100 *YES Change CRQ description actii Check scheduled programs Use the same method for ealuating these exit programs that you use for other exit programs and trigger programs. iseries proides seeral methods for scheduling jobs to run at a later time, including the job scheduler. Normally, these methods do not represent a security exposure because the user who schedules the job must hae the same authority that is required to submit the job to batch. Howeer, you should periodically check for jobs scheduled in the future. A disgruntled user who is no longer in the organization may use this method to schedule a disaster. Restrict Sae and Restore capability Most users do not need to sae and restore objects on your system. The sae commands proide the possibility of copying important assets of your organization to media or to another system. Most sae commands support sae files that can be sent to another system (by using the SNDNETF file command) without haing access to media or a sae/restore deice. Restore commands proide the opportunity to restore unauthorized objects, such as programs, commands, and files, to your system. You can also restore information without access to media or to a sae/restore deice by using sae files. Sae files can be sent from another system by using the SNDNETF command or by using the FTP function. Following are suggestions for restricting sae and restore operations on your system: Control which users hae *SAVSYS special authority. *SAVSYS special authority allows the user to sae and restore objects een when the user does not hae the necessary authority to the objects. Control physical access to sae and restore deices. Restrict access to the sae and restore commands. When you install OS/400 licensed programs, the public authority for the RSTxxx commands is *EXCLUDE. Public authority for the SAVxxx commands is *USE. Consider changing the public authority for SAVxxx commands to *EXCLUDE. Carefully limit the users that you authorize to the RSTxxx commands. Chapter 10. Detect suspicious programs 83

Use the QALWOBJRST system alue to restrict restoration of system-state programs, programs that adopt authority, and objects that hae alidation errors. Use the QVFYOBJRST system alue to control restoring signed objects on your system. Use the QFRCCVNRST system alue to control the recreation of certain objects being restored on your system. Use security auditing to monitor restore operations. Include *SAVRST in the QAUDLVL system alue, and periodically print audit records that are created by restore operations. (Chapter 9 and Appendix F of the iseries Security Reference book proide more information about the audit entries operations.) Check for user objects in protected libraries Eery iseries serer job has a library list. The library list determines the sequence in which the system searches for an object if a library name is not specified with the object name. For example, when you call a program without specifying where the program is, the system searches your library list in order and runs the first copy of the program that it finds. The iseries Security Reference book proides more information about the security exposures of library lists and calling programs without a library name (called an unqualified call). It also proides suggestions for controlling the content of library lists and the ability to change the system library lists. For your system to run properly, certain system libraries, such as QSYS and QGPL, must be in the library list for eery job. You should use object authority to control who can add programs to these libraries. This helps to preent someone from placing an imposter program in one of these libraries with the same name as a program that appears in a library later in the library list. You should also ealuate who has authority to the CHGSYSLIBL command and monitor SV records in the security audit journal. A deious user could place a library ahead of QSYS in the library list and cause other users to run unauthorized commands with the same names as IBM-supplied commands. SECBATCH menu options: 28 to submit immediately 67 to use the job scheduler You can use the Print User Objects (PRTUSROBJ) command to print a list of user objects (objects not created by IBM) that are in a specified library. You can then ealuate the programs on the list to determine who created them and what function they perform. User objects other than programs can also represent a security exposure when they are in system libraries. For example, if a program writes confidential data to a file whose name is not qualified, that program might be fooled into opening an imposter ersion of that file in a system library. 84 Tips and tools for securing your iseries serer V5R2

Chapter 11. Preent and detect hacking attempts Physical security Monitor user profile actiity This information is a collection of miscellaneous tips to help you to detect potential security exposures and mischief-makers. Your system unit represents an important business asset and a potential door into your system. Some system components inside the system are both small and aluable. You should place the system unit in a controlled location to preent someone from remoing aluable system components. The system unit has a control panel that proides the ability to perform basic functions without a workstation. For example, you can use the control panel to do the following: Stop the system. Start the system. Load the operating system. Start serice functions. All of these actiities can disrupt your system users. They also represent a potential security exposure to your system. You can use the keylock that comes with your system to control when these actiities are allowed. To preent the use of the control panel, place the keylock in the Secure position, remoe the key, and store it in a safe place. Notes: 1. If you need to perform remote IPLs or perform remote diagnostics on your system, you may need to choose another setting for the keylock. The Getting Started topic in the iseries Information Center proides more information about keylock settings (see Prerequisite and related information on page xii for details). 2. Not all system models come with a keylock as a standard feature. User profiles proide entry to your system. Parameters in the user profile determine a user s enironment and a user s security characteristics. As a security administrator, you need to control and audit changes that occur to user profiles on your system. You can set up security auditing so that your system writes a record of changes to user profiles. You can use the DSPAUDJRNE command to print a report of those changes. You can create exit programs to ealuate requested actions to user profiles. Table 16 shows the exit points that are aailable for user profile commands. Table 16. Exit points for user profile actiity User profile command Create User Profile (CRTUSRPRF) Exit point name QIBM_QSY_CRT_PROFILE Copyright IBM Corp. 1996, 2002 85

Table 16. Exit points for user profile actiity (continued) User profile command Exit point name Change User Profile (CHGUSRPRF) Delete User Profile (DLTUSRPRF) Restore User Profile (RSTUSRPRF) QIBM_QSY_CHG_PROFILE QIBM_QSY_DLT_PROFILE QIBM_QSY_RST_PROFILE Object signing Your exit program can, for example, look for changes that might cause the user to run an unauthorized ersion of a program. These changes might be assigning either a different job description or a new current library. Your exit program might either notify a message queue or take some action (like changing or disabling the user profile) based on the information that the exit program receies. The iseries Security Reference book proides more information about the exit programs for user profile actions. All of the security precautions you take are meaningless if someone can bypass them by introducing tampered data into your system. The iseries serer has many built-in features which you can use to keep tampered software from being loaded onto your system, and to detect any such software already there. One of the techniques added in V5R1 is object signing. Object signing is the iseries serer implementation of a cryptographic concept known as digital signatures. The idea is relatiely straightforward: once a software producer is ready to ship software to customers, the producer signs the software. This signature does not guarantee that the software performs any specific function. Howeer, it proides a way to proe that the software came from the producer who signed it, and that the software has not changed since it was produced and signed. This is particularly important if the software has been transmitted across the Internet or stored on media which you feel might hae been modified. Using digital signatures gies you greater control oer which software can be loaded onto your system, and allows you more power to detect changes once it has been loaded. The new system alue Verify Object Restore (QVFYOBJRST) proides a mechanism for setting a restrictie policy which requires all software loaded onto the system to be signed by known software sources. You can also choose a more open policy and simply erify signatures if they are present. All OS/400 software, as well as the software for options and iseries serer licensed programs, has been signed by a system trusted source. These signatures help the system protect its integrity, and they are checked when fixes are applied to the system to ensure that the fix has come from a system trusted source and that it did not change in transit. These signatures can also be checked once the software is on the system. The CHKOBJITG (Check Object Integrity) command has been expanded to check signatures in addition to other integrity features of the objects on the system. Additionally, the Digital Certificate Manager has panels that you can use to check signatures on objects, including objects in the operating system. Just as the operating system has been signed, you could use digital signatures to protect the integrity of software which is critical to your business. You might buy software which has been signed by a software proider, or you might sign software which you hae purchased or written. Part of your security policy, then, 86 Tips and tools for securing your iseries serer V5R2

might be to periodically use CHKOBJITG, or the Digital Certificate Manager, to erify that the signatures on that software are still alid that the objects hae not changed since they were signed. You might further require that all software which gets restored on your system be signed by you or a known source. Howeer, since most iseries serer software which is not produced by IBM is not currently signed, this might be too restrictie for your system. The new digital signature support gies you the flexibility to decide how best to protect your software integrity. Digital signatures that protect software are just one use of digital certificates. Additional information on managing digital certificates can be found in the Digital certificate management topic in the Information Center (see Prerequisite and related information on page xii for details). Monitor subsystem descriptions Autostart job entries When you start a subsystem on an iseries serer, the system creates an enironment for work to enter the system and run. A subsystem description defines what that enironment looks like. Subsystem descriptions, therefore, can proide an opportunity for deious users. A mischief-maker might use a subsystem description to start a program automatically or to make it possible to sign on without a user profile. When you run the Reoke Public Authority (RVKPUBAUT) command, the system sets public authority to subsystem description commands to *EXCLUDE. This preents users who are not specifically authorized (and who do not hae *ALLOBJ special authority) from changing or creating subsystem descriptions. The topics that follow proide suggestions for reiewing the subsystem descriptions that currently exist on your system. You can use the Work with Subsystem Descriptions (WRKSBSD) command to create a list of all the subsystem descriptions. When you select 5 (Display) from the list, a menu displays for the system description that you selected. It shows a list of the parts of a subsystem enironment. You select options to see details about the parts. Use the Change Subsystem Description (CHGSBSD) command to change the first two items on the menu. To change other items, use the appropriate add, remoe, or change command for the entry type. For example, to change a workstation entry, use the Change Workstation Entry (CHGWSE) command. The Work Management book proides more information about working with subsystem descriptions. It also lists the shipped alues for IBM-supplied subsystem descriptions. An autostart job entry contains the name of a job description. The job description may contain request data (RQSDTA) that causes a program or a command to run. For example, the RQSDTA might be CALL LIB1/PROGRAM1. Wheneer the subsystem starts, the system will run the program PROGRAM1 in library LIB1. Look at your autostart job entries and the associated job descriptions. Ensure that you understand the function of any program that runs automatically when a subsystem starts. Chapter 11. Preent and detect hacking attempts 87

Workstation names and workstation types Job queue entries Routing entries When a subsystem starts, it allocates all unallocated workstations that are listed (specifically or generically) in its entries for workstation names and workstations types. When a user signs on, the user is signing on to the subsystem that has allocated the workstation. The workstation entry tells what job description will be used when a job starts at that workstation. The job description may contain request data that causes a program or a command to run. For example, the RQSDTA parameter might be CALL LIB1/PROGRAM1. Wheneer a user signs on to a workstation in that subsystem, the system will run PROGRAM1 in LIB1. Look at your workstation entries and the associated job descriptions. Ensure that no one has added or updated any entries to run programs that you are not aware of. A workstation entry might also specify a default user profile. For certain subsystem configurations, this allows someone to sign on simply by pressing the Enter key. If the security leel (QSECURITY system alue) on your system is less than 40, you should reiew your workstation entries for default users. When a subsystem starts, it allocates any unallocated job queues that are listed in the subsystem description. Job queue entries do not proide any direct security exposure. Howeer, they do proide an opportunity for someone to tamper with system performance by causing jobs to run in unintended enironments. You should periodically reiew the job queue entries in your subsystem descriptions to ensure that batch jobs are running where you expect them to run. A routing entry defines what a job does once it enters the subsystem. The subsystem uses routing entries for all job types: batch, interactie, and communications jobs. A routing entry specifies the following: The class for the job. Like job queue entries, the class that is associated with a job can affect its performance but does not represent a security exposure. The program that runs when the job starts. Look at the routing entries and ensure that no one has added or updated any entries to run programs that you are not aware of. Communications entries and remote location names When a communications job enters your system, the system uses the communications entries and the remote location name entries in the actie subsystem to determine how the communications job will run. Look at the following for these entries: All subsystems are capable of running communications jobs. If a subsystem that you intend for communications is not actie, a job that is trying to enter your system might find an entry in another subsystem description that meets its needs. You need to look at the entries in all subsystem descriptions. 88 Tips and tools for securing your iseries serer V5R2

Prestart job entries Jobs and job descriptions A communications entry contains a job description. The job description may contain request data that runs a command or program. Look at your communications entries and their associated job descriptions to ensure that you understand how jobs will start. A communications entry also specifies a default user profile that the system uses in some situations. Make sure that you understand the role of default profiles. If your system contains default profiles, you should ensure that they are profiles with minimal authority. See Chapter 13, Secure APPC communications for more information about default user profiles. You can use the Print Subsystem Description (PRTSBSDAUT) command to identify communications entries that specify a user profile name. You can use prestart job entries to make a subsystem ready for certain kinds of jobs so that the jobs start more quickly. Prestart jobs may start when the subsystem starts or when they are needed. A prestart job entry specifies the following: A program to run A default user profile A job description All of these proide the potential for security exposures. You should make sure that prestart job entries perform only authorized, intended functions. Job descriptions contain request data and routing data that can cause a specific program to run when that job description is used. When the job description specifies a program in the request data parameter, the system runs the program. When the job description specifies routing data, the system runs the program that is specified in the routing entry that matches the routing data. The system uses job descriptions for both interactie and batch jobs. For interactie jobs, the workstation entry specifies the job description. Typically, the workstation entry alue is *USRPRF, so the system uses the job description that is specified in the user profile. For batch jobs, you specify the job description when you submit the job. You should periodically reiew job descriptions to make sure that they do not run unintended programs. You should also use object authority to preent changes to job descriptions. *USE authority is sufficient to run a job with a job description. A typical user does not need *CHANGE authority to job descriptions. Chapter 11. Preent and detect hacking attempts 89

SECBATCH menu options: 15 to submit immediately 54 to use the job scheduler Job descriptions can also specify what user profile the job should run under. With security leel 40 and higher, you must hae *USE authority to the job description and to the user profile that is specified in the job description. With security leels lower than 40, you need *USE authority only to the job description. You can use the Print Job Description Authority (PRTJOBDAUT) command to print a list of job descriptions that specify user profiles and hae public authority of *USE. The report shows the special authorities of the user profile that is specified in the job description. The report includes the special authorities of any group profiles that the user profile has. You can use the following command to display the user profile s priate authorities: DSPUSRPRF USRPRF(profile-name) TYPE(*OBJAUT) The job description specifies the library list that the job uses when it runs. If someone can change a user s library list, that user might run an unintended ersion of a program in a different library. You should periodically reiew the library lists that are specified in the job descriptions on your system. Finally, you should ensure that the default alues for the Submit Job (SBMJOB) command and the Create User Profile (CRTUSRPRF) command hae not been changed to point to unintended job descriptions. Architected transaction program names Some communications requests send a specific type of signal to your system. This request is called an architecture transaction program name (TPN) because the name of the transaction program is part of the APPC architecture for the system. A request for display station pass-through request is an example of an architecture TPN. Architecture TPNs are a normal way for communications to function and do not necessarily represent a security exposure. Howeer, architecture TPNs may proide an unexpected entrance into your system. Some TPNs do not pass a profile on the request. If the request becomes associated with a communications entry whose default user is *SYS, the request may be initiated on your system. Howeer, the *SYS profile can run system functions only, not user applications. If you do not want architecture TPNs to run with a default profile, you can change the default user from *SYS to *NONE in communications entries. Architected TPN requests on page 91 lists the architecture TPNs and the associated user profiles. If you do not want a specific TPN to run on your system at all, do the following: 1. Create a CL program that accepts seeral parameters. The program should perform no function. It should simply hae the Declare (DCL) statements for parameters and then end. 90 Tips and tools for securing your iseries serer V5R2

2. Add a routing entry for the TPN to each subsystem that has communications entries or remote location name entries. The routing entry should specify the following: A Compare alue (CMPVAL) alue equal to the program name for the TPN (see Architected TPN requests) with a starting position of 37. A Program to call (PGM) alue equal to the name of the program that you created in step 1 on page 90. This preents the TPN from locating another routing entry, such as *ANY. Seeral TPNs already hae their own routing entry in the QCMN subsystem. These hae been added for performance reasons. Architected TPN requests Table 17. Programs and users for TPN requests TPN request Program User profile Description X'30F0F8F1' AMQCRC6A *NONE Message queuing X'06F3F0F1' QACSOTP QUSER APPC sign-on transaction program X'30F0F2D1' QANRTP QADSM ADSM/400 APPC configuration X'30F0F1F9' QCNPCSUP *NONE Shared folders X'07F0F0F1' QCNTEDDM QUSER DDM X'07F6C4C2' QCNTEDDM QUSER Remote SQL DRDA1 X'30F0F7F7' QCQNRBAS QSVCCS SNA CC_Serer X'30F0F1F4' QDXPRCV QUSER DSNX PC receier X'30F0F1F3' QDXPSEND QUSER DSNX PC sender X'30F0F2C4' QEVYMAIN QUSER ENVY**/400 Serer X'30F0F6F0' QHQTRGT *NONE PC data queue X'30F0F8F0' QLZPSERV *NONE Client Access license manager X'30F0F1F7' QMFRCVR *NONE PC message receier X'30F0F1F8' QMFSNDR *NONE PC message sender X'30F0F6F6' QND5MAIN QUSER APPN 5394 workstation controller DB2DRDA QCNTEDDDM QUSER DB2DRDA APINGD QNMAPINGD QUSER APINGD X'30F0F5F4' QNMEVK QUSER System management utilities X'30F0F2C1' QNPSERVR *NONE PWS-I network print serer X'30F0F7F9' QOCEVOKE *NONE Cross-system calendar X'30F0F6F1' QOKCSUP QDOC Directory shadowing X'20F0F0F7' QOQSESRV QUSER DIA Version 2 X'20F0F0F8' QOQSESRV QUSER DIA Version 2 X'30F0F5F1' QOQSESRV QUSER DIA Version 2 X'20F0F0F0' QOSAPPC QUSER DIA Version 1 X'30F0F0F5' QPAPAST2 QUSER S/36 S/38 pass-through X'30F0F0F9' QPAPAST2 QUSER Printer pass-through X'30F0F4F6' QPWFSTP0 *NONE Shared Folders Type 2 X'30F0F2C8' QPWFSTP1 *NONE Client Access file serer Chapter 11. Preent and detect hacking attempts 91

Table 17. Programs and users for TPN requests (continued) TPN request Program User profile Description X'30F0F2C9' QPWFSTP2 *NONE Windows** Client Access file serer X'30F0F6F9' QRQSRVX *NONE Remote SQL conerged serer X'30F0F6F5' QRQSRV0 *NONE Remote SQL without commit X'30F0F6F4' QRQSRV1 *NONE Remote SQL without commit X'30F0F2D2' QSVRCI QUSER SOC/CT X'21F0F0F8' QS2RCVR QGATE SNADS FS2 receier X'21F0F0F7' QS2STSND QGATE SNADS FS2 sender X'30F0F1F6' QTFDWNLD *NONE PC transfer function X'30F0F2F4' QTIHNPCS QUSER TIE function X'30F0F1F5' QVPPRINT *NONE PC irtual print X'30F0F2D3' QWGMTP QWGM Ultimedia Mail/400 Serer X'30F0F8F3' QZDAINIT QUSER PWS-I data access serer X'21F0F0F2' QZDRCVR QSNADS SNADS receier X'21F0F0F1' QZDSTSND QSNADS SNADS sender X'30F0F2C5' QZHQTRG *NONE PWS-I data queue serer X'30F0F2C6' QZRCSRVR *NONE PWS-I remote command serer X'30F0F2C7' QZSCSRVR *NONE PWS-I central serer Methods for Monitoring Security Eents Setting up security is not a one-time effort. You need to constantly ealuate both the changes on your system and your security failures. Then make adjustments to your security enironment to respond to what you hae discoered. The security reports help you to monitor security-releant changes that occur on your system. Following are other system functions that you can use to help you to detect security failures or exposures: Security auditing is a powerful tool that you can use to obsere many different types of security-releant eents that occur on your system. For example, you can set up the system to write an audit record eery time a user opens a particular database file for updating. You can audit all changes to system alues. You can audit actions that happen when users restore objects. Chapter 9 in the iseries Security Reference book proides complete information about the security auditing function. You can use the Change Security Auditing (CHGSECAUD) command to set up security auditing on your system. You can also use the Display Audit Journal Entries (DSPAUDJRNE) command to print selected information from the security audit journal. You can create the QSYSMSG message queue to capture critical system-operator messages. The QSYSOPR message queue receies many messages of arying importance throughout a typical business day. Critical, security-releant messages may be oerlooked because of the sheer olume of messages in the QSYSOPR message queue. If you create a QSYSMSG message queue in the QSYS library on your system, the system automatically directs certain critical messages to the QSYSMSG message queue instead of to the QSYSOPR message queue. 92 Tips and tools for securing your iseries serer V5R2

Either you can create a program to monitor the QSYSMSG message queue, or you can assign it in break mode to yourself or to another trusted user. Chapter 11. Preent and detect hacking attempts 93

94 Tips and tools for securing your iseries serer V5R2

Part 4. Applications and network communications Copyright IBM Corp. 1996, 2002 95

96 Tips and tools for securing your iseries serer V5R2

Chapter 12. Use Integrated File System to secure files The integrated file system proides you with multiple ways to store and iew information on the iseries serer. The integrated file system is a part of the OS/400 operating system that supports stream input and output operations. It proides storage management methods that are similar to (and compatible with) personal computer operating systems and UNIX operating systems. With the integrated file system, all objects on the system can be iewed from the perspectie of a hierarchical directory structure. Howeer, in most cases, users iew objects in the way that is most common for a particular file system. For example, traditional iseries objects are in the QSYS.LIB file system. Typically, users iew these objects from the perspectie of libraries. Users typically iew objects in the QDLS file system from the perspectie of documents within folders. The root (/), QOpenSys, and user-defined file systems present a structure of hierarchical (nested) directories. As a security administrator, you need to understand the following: Which file systems are used on your system The unique security characteristics of each file system The topics that follow proide some general considerations for the security of the integrated file system. The Integrated File System approach to security The root file system acts as an umbrella (or a foundation) for all other file systems on iseries serers. At a high leel, it proides an integrated iew of all of the objects on the system. Other file systems that can exist on iseries serers proide arying approaches to object management and integration, depending on the underlying purpose of each file system. The QOPT (optical) file system, for example, allows iseries applications and serers (including the iseries Access for Windows file serer) to access the CD-ROM drie on the iseries serer. Similarly, the QFileSr.400 file system allows applications to access integrated file system data on remote iseries serers. The QLANSr file serer allows access to files stored on Integrated xseries Serer for iseries or other connected serers in the network. The security approach for each file system depends on the data that the file system makes aailable. The QOPT file system, for example, does not proide object-leel security because no technology exists to write authority information to a CD-ROM. For the QFileSr.400 file system, access control occurs at the remote system (where the files are physically stored and managed). For file systems like QLANSr, the Integrated xseries Serer for iseries proides access control. Despite the differing security models, many file systems support consistent management of access control through the integrated file system commands, such as Change Authority (CHGAUT) and Change Owner (CHGOWN). Here are some tips related to the nooks and crannies of integrated file system security. The integrated file system is designed to follow POSIX standards as closely as possible. This leads to some interesting behaior where iseries serer authority and POSIX permissions are blended : Copyright IBM Corp. 1996, 2002 97

1. Do not remoe the priate authority for a user to a directory owned by that user, een if that user is authorized through the public authority, a group, or authorization list. When working with libraries or folders in the standard iseries serer security model, remoing the owner s priate authority would reduce the amount of authority information stored for a user profile and would not affect other operations. But, because of the way the POSIX standard defines permission inheritance for directories, the owner of a newly-created directory will hae the same object authorities to that directory as the owner of the parent has to the parent, een if the owner of the newly-created directory has other priate authorities to the parent. That may be hard to understand, so here s an example: USERA owns directory /DIRA, but USERA s priate authorities hae been remoed. USERB has priate authority to /DIRA. USERB creates directory /DIRA/DIRB. Because USERA has no object authorities to /DIRA, USERB will hae no object authorities to /DIRA/DIRB. USERB will be unable to rename or delete /DIRA/DIRB without further action to change USERB s object authorities. This also comes into play when creating files with the open() API using the O_INHERITMODE flag. If USERB created a file /DIRA/FILEB, USERB would hae no object authorities AND no data authorities to it. USERB could not write to the new file. 2. Adopted authority is not honored by most physical file systems. This includes the root (/), QOpenSys, QDLS, and user-defined file systems. 3. Any objects are owned by the user profile which created the objects, een if the OWNER field of the user profile is set to *GRPPRF. 4. Many file system operations require *RX data authority to eery component of the path, including the root (/) directory. When experiencing authority problems, make sure to check the user s authorization to the root itself. 5. Displaying or retrieing the current working directory (DSPCURDIR, getcwd(), etc.) requires *RX data authority to eery component in the path. Howeer, changing the current working directory (CD, chdir(), etc.) only requires *X data authority to eery component. Therefore, a user may change the current working directory to a certain path and then be unable to display that path. 6. The intent of the COPY command is to duplicate an object. The authority settings on the new file will be the same as the original except for the owner. The intent of the CPYTOSTMF command, howeer, is simply to duplicate data. The authority settings on the new file cannot be controlled by the user. The creator/owner will hae *RWX data authority, but the group and public authorities will be *EXCLUDE. The user must use another means (CHGAUT, chmod(), etc.) to assign the desired authorities. 7. A user must be the owner or hae *OBJMGT object authority to an object to retriee authority information about the object. This pops up in some unexpected places, like COPY, which must retriee the authority information on the source object to set the equialent authorities on the target object. 8. When changing the owner or group of an object, the user must not only hae appropriate authority to the object, but also must hae *ADD data authority to the new owner/group user profile and *DELETE data authority to the old owner/group profile. These data authorities are not related to the file system data authorities. These data authorities can be displayed using the DSPOBJAUT command and changed using the EDTOBJAUT command. This also pops up unexpectedly on COPY when it tries to set the group ID for a new object. 9. The MOV command is prone to puzzling authority errors, especially when moing from one physical file system to another, or when performing data conersion. In these cases, the moe actually becomes a copy-and-delete operation. Therefore, the MOV command can be affected by all of the same 98 Tips and tools for securing your iseries serer V5R2

authority considerations as the COPY command (see 7 and 8 aboe) and the RMVLNK command, in addition to other specific MOV considerations. Following sections proide you with some considerations for seeral representatie file systems. For more information about a specific file system on your iseries serer, you will need to consult the documentation for the licensed program that uses the file system. Root (/), QOpenSys, and user-defined file systems Following are security considerations for the root, QOpenSys, and user-defined file systems. How authority works The root, QOpenSys, and user-defined file systems proide a blending of iseries serer, PC, and UNIX** capabilities both for object management and for security. When you use the integrated file system commands from an iseries serer session (WRKAUT and CHGAUT), you can set all the normal iseries serer object authorities. This includes the *R, *W, and *X authorities that are compatible with Spec 1170 (UNIX-type operating systems). Note: The root, QOpenSys, and user-defined file systems are functionally equialent. The QOpenSys file system is case-sensitie. The root file system is not. User-defined file systems can be defined as case-sensitie. Because these file systems hae the same security characteristics, you can assume in the topics that follow that their names are used interchangeably. When you access the root file system as an administrator from a PC session, you can set object attributes that the PC uses to restrict certain types of access: System Hidden Archie Read-only These PC attributes are in addition to, not replacements for, iseries serer object authority alues. When a user attempts to access an object in the root file system, OS/400 enforces all of the object authority alues and attributes for the object, whether or not those authorities are isible from the user s interface. For example, assume that the read-only attribute for an object is set on. A PC user cannot delete the object through a iseries Access interface. An iseries serer user with a fixed function workstation cannot delete the object either, een if the iseries serer user has *ALLOBJ special authority. Before the object can be deleted, an authorized user must use a PC function to reset the read-only alue to off. Similarly, a PC user might not hae sufficient OS/400 authority to change the PC-releant security attributes of an object. UNIX-type applications that run on iseries serers use UNIX-like application programming interfaces (APIs) to access data in the root file system. With UNIX-like APIs, applications can recognize and maintain the following security information: Object owner Group owner (iseries serer primary group authority) Read (files) Write (change contents) Chapter 12. Use Integrated File System to secure files 99

Execute (run programs or search directories) The system maps these data authorities to existing iseries serer object and data authorities: Read (*R) = *OBJOPR and *READ Write (*W) = *OBJOPR, *ADD, *UPD, *DLT Execute (*X) = *OBJOPR and *EXECUTE The concepts for other object authorities (*OBJMGT, *OBJEXIST, *OBJALTER, and *OBJREF) do not exist in a UNIX-type enironment. Howeer, these object authorities do exist for all of the objects in the root file system. When you create an object using a UNIX-like API, that object inherits these authorities from the parent directory, resulting in the following: The new object s owner has the same object authority as the parent directory s owner. The new object s primary group has the same object authority as the parent directory s primary group. The new object s public has the same object authority as the parent directory s public. The new object s data authority for owner, primary group, and public are specified on the API with the mode parameter. When all of the object authorities are set on, you get the authority behaior that you would expect in a UNIX-type enironment. It is best to leae them set on, unless you do not want the POSIX-like behaior. When you run applications that use UNIX-like APIs, the system enforces all object authorities, whether or not they are isible to UNIX-type applications. For example, the system will enforce the authority of authorization lists een though the concept of authorization lists does not exist in UNIX-type operating systems. When you hae a mixed-application enironment, you need to ensure that you do not make authority changes in one enironment that will break your applications in another enironment. Work with security for the Root (/), QOpenSys, and user-defined file systems With the introduction of the integrated file system, iseries serers also proided a new set of commands for working with objects in multiple file systems. This command set includes commands for working with security: Change Auditing (CHGAUD) Change Authority (CHGAUT) Change Owner (CHGOWN) Change Primary Group (CHGPGP) Display Authority (DSPAUT) Work with Authority (WRKAUT) These commands group the underlying data and object authorities into the UNIX-like authority subsets: *RWX Read/write/execute *RW Read/write *R Read *WX Write/execute *W Write *X Execute 100 Tips and tools for securing your iseries serer V5R2

In addition, UNIX-like APIs are aailable to work with security. Public authority to the root directory When your system ships, the public authority to the root directory is *ALL (all object authorities and all data authorities). This setting proides flexibility and compatibility with both what UNIX-like applications expect and what typical iseries serer users expect. An iseries serer user with command-line capability can create a new library in the QSYS.LIB file system simply by using the CRTLIB command. Normally, authority on a typical iseries serer allows this. Similarly, with the shipped setting for the root file system, a typical user can create a new directory in the root file system (just like you can create a new directory on your PC). As a security administrator, you must educate your users about adequately protecting the objects that they create. When a user creates a library, probably the public authority to the library should not be *CHANGE (the default). The user should set public authority either to *USE or to *EXCLUDE, depending on the contents of the library. If your users need to create new directories in the root (/), QOpenSys, or user-defined file systems, you hae seeral security options: You can educate your users to oerride the default authority when they create new directories. The default is to inherit authority from the immediate parent directory. In the case of a newly created directory in the root directory, by default the public authority will be *ALL. You can create a master subdirectory under the root directory. Set the public authority on that master directory to an appropriate setting for your organization. Then instruct users to create any new personal directories in this master subdirectory. Their new directories will inherit its authority. You can consider changing the public authority for the root directory to preent users from creating objects in that directory. (Remoe *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities.) Howeer, you need to ealuate whether this change will cause problems for any of your applications. You might, for example, hae UNIX-like applications that expect to be able to delete objects from the root directory. Print priate authorities objects (PRTPVTAUT) command The Print Priate Authorities (PRTPVTAUT) command allows you to print a report of all the priate authorities for objects of a specified type in a specified library, folder, or directory. The report lists all objects of the specified type and the users that are authorized to the object. This is a way to check for different sources of authority to objects. This command prints three reports for the selected objects. The first report (Full Report) contains all of the priate authorities for each of the selected objects. The second report (Changed Report) contains additions and changes to the priate authorities to the selected objects if the PRTPVTAUT command was preiously run for the specified objects in the specified library, folder, or directory. Any new objects of the selected type, new authorities to existing objects, or changes to existing authorities to the existing objects are listed in the Changed Report. If the PRTPVTAUT command was not preiously run for the specified objects in the specified library, folder, or directory, there will be no Changed Report. If the Chapter 12. Use Integrated File System to secure files 101

command has been preiously run but no changes hae been made to the authorities on the objects, then the Changed Report is printed but there are no objects listed. The third report (Deleted Report) contains any deletions of priately authorized users from the specified objects since the PRTPVTAUT command was preiously run. Any objects that were deleted or any users that were remoed as priately authorized users are listed in the Deleted Report. If the PRTPVTAUT command was not preiously run, there will be no Deleted Report. If the command has been preiously run but no delete operations hae been done to the objects, then the Deleted Report is printed but there are no objects listed. Restriction: You must hae *ALLOBJ special authority to use this command. Examples: This command creates the full, changed, and deleted reports for all file objects in the PAYROLLLIB: PRTPVTAUT OBJTYPE(*FILE) LIB(PAYROLLLIB) This command creates the full, changed, and deleted reports for all the stream file objects in the directory garry: PRTPVTAUT OBJTYPE(*STMF) DIR(/GARRY) SCHSUBDIR(*NO) This command creates the full, changed, and deleted reports for all the stream file objects in the subdirectory structure that starts at the directory garry: PRTPVTAUT OBJTYPE(*STMF) DIR(/GARRY) SCHSUBDIR(*YES) Print publicly authorized objects (PRTPUBAUT) command The Print Publicly Authorized Objects (PRTPUBAUT) command allows you to print a report of the specified objects that do not hae public authority of *EXCLUDE. For *PGM objects, only the programs that do not hae public authority of *EXCLUDE that a user can call (the program is either user domain or the system security leel (QSECURITY system alue) is 30 or below) will be included in the report. This is a way to check for objects that eery user on the system is authorized to access. This command will print two reports. The first report (Full Report) will contain all of the specified objects that do not hae public authority of *EXCLUDE. The second report (Changed Report) will contain the objects that now do not hae public authority of *EXCLUDE that did hae public authority of *EXCLUDE or did not exist when the PRTPUBAUT command was preiously run. If the PRTPUBAUT command was not preiously run for the specified objects and library, folder, or directory, there will be no Changed Report. If the command has been preiously run, but no additional objects do not hae public authority of *EXCLUDE, then the Changed Report will be printed but there will be no objects listed. Restrictions: You must hae *ALLOBJ special authority to use this command. Examples: This command creates the full, and changed reports for all the file objects in the library GARRY that do not hae a public authority of *EXCLUDE: 102 Tips and tools for securing your iseries serer V5R2

PRTPUBAUT OBJTYPE(*FILE) LIB(GARRY) This command creates the full, changed, and deleted reports for all the stream file objects in the subdirectory structure that starts at the directory garry that do not hae a public authority of *EXCLUDE: PRTPUBAUT OBJTYPE(*STMF) DIR(GARRY) SCHSUBDIR(*YES) Restrict access to the QSYS.LIB file system Because the root file system is the umbrella file system, the QSYS.LIB file system appears as a subdirectory within the root directory. Therefore, any PC user with access to your iseries serer can manipulate objects stored in iseries serer libraries (the QSYS.LIB file system) with normal PC commands and actions. A PC user could, for example, drag a QSYS.LIB object (such as the library with your critical data files) to the shredder. As you learned in Root (/), QOpenSys, and user-defined file systems on page 99, the system enforces all object authority whether or not it is isible to the interface. Therefore, a user cannot shred (delete) an object unless the user has *OBJEXIST authority to the object. Howeer, if your iseries depends on menu access security rather than object security, the PC user might ery well discoer objects in the QSYS.LIB file system that are aailable for shredding. As you expand the uses of your system and the different methods of access that you proide, you will soon discoer that menu access security is not sufficient. Chapter 6, Protect information assets with object authority on page 49 discusses your strategies for supplementing menu access control with object security. Howeer, iseries serers also proide a simple way for you to preent access to the QSYS.LIB file system through the root file system directory structure. You can use the QPWFSERVER authorization list to control which users can access the QSYS.LIB file system through the root directory. When a user s authority to the QPWFSERVER authorization list is *EXCLUDE, the user cannot enter the QSYS.LIB directory from the root directory structure. When a user s authority is *USE, the user can enter the directory. Once the user has authority to enter the directory, normal object authority applies for any action the user attempts to perform on an object within the QSYS.LIB file system. In other words, the authority to the QPWFSERVER authorization list acts like a door to the entire QSYS.LIB file system. For the user with *EXCLUDE authority, the door is locked. For the user with *USE authority (or any greater authority), the door is open. For most situations, users do not need to use a directory interface to access objects in the QSYS.LIB file system. Probably, you will want to set the public authority to the QPWFSERVER authorization list to *EXCLUDE. Keep in mind, that authority to the authorization list opens or closes the door to all libraries within the QSYS.LIB file system, including user libraries. If you encounter users who object to this exclusion, you can ealuate their requirements on an indiidual basis. If appropriate, you can explicitly authorize an indiidual user to the authorization list. Howeer, you need to ensure that the user has appropriate authority to objects within the QSYS.LIB file system. Otherwise, the user might unintentionally delete objects or entire libraries. Notes: 1. When your system ships, the public authority to the QPWFSERVER authorization list is *USE. Chapter 12. Use Integrated File System to secure files 103

Secure directories Security for new objects 2. If you explicitly authorize an indiidual user, the authorization list controls access only with iseries Access file sering, NetSerer file sering and file sering between iseries serers. This does not preent access to the same directories ia FTP, ODBC, and other networks. To access an object within the root file system, you read through the entire path to that object. To search a directory, you must hae *X (*OBJOPR and *EXECUTE) authority to that directory. Assume, for example, that you want to access the following object: /companya/customers/custfile.dat You must hae *X authority to the companya directory and to the customers directory. With the root file system, you can create a symbolic link to an object. Conceptually, a symbolic link is an alias for a path name. Usually, it is shorter and easier to remember than the full path name. A symbolic link does not, howeer, create a different physical path to the object. The user still needs *X authority to eery directory and subdirectory in the physical path to the object. For objects in the root file system, you can use directory security just as you might use library security in the QSYS.LIB file system. You can, for example, set the public authority of a directory to *EXCLUDE to preent public users from accessing any objects within that tree. When you create a new object in the root file system, the interface that you use to create it determines its authorities. For example, if you use the CRTDIR command and its defaults, the new directory inherits all of the authority characteristics of its parent directory, including priate authorities, primary group authority, and authorization list association. The following sections describe how authorities are determined for each type of interface. Authority comes from the immediate parent directory, not from directories higher up in the tree. Therefore, as a security administrator, you need to iew the authority that you assign to directories in a hierarchy from two perspecties: How the authority affects access to objects in the tree (like library authority). How the authority affects newly created objects (like the CRTAUT alue for libraries). Recommendation: You may want to gie users who work in the integrated file system a home directory (for example, /home/usrxxx), then set the security appropriately (such as PUBLIC *EXCLUDE). Any directories the user creates under their home directory will then inherit the authorities. Following are the descriptions of authority inheritance for different interfaces: Use the Create Directory command When you create a new subdirectory by using the CRTDIR command, you hae two options for specifying authority: 104 Tips and tools for securing your iseries serer V5R2

You can specify the public authority (data authority, object authority, or both). You can specify *INDIR for the data authority, object authority, or both. When you specify *INDIR for both data authority and object authority, the system makes an exact copy of all the authority information from the parent directory to the new object, including authorization list, primary group, public authority, and priate authorities. (The system does not copy priate authority that the QSYS profile or the QSECOFR profile has to the object.) Create a directory with an API When you create a directory by using the mkdir() API, you specify the data authorities for the owner, the primary group, and public (using the authority map of *R, *W, and *X). The system uses the information in the parent directory to set the object authorities for the owner, primary group, and public. Because UNIX-type operating systems do not hae the concept of object authorities, the mkdir() API does not support specifying object authorities. If you want different object authorities, you can use the iseries serer command (CHGAUT). Howeer, when you remoe some object authorities, the UNIX-like application might not work as you expect it to work. Create a stream file with the open() or creat() API When you use the creat() API to create a stream file, you can specify the data authorities for the owner, the primary group, and public (using the UNIX-like authorities of *R, *W, and *X). The system uses the information in the parent directory to set the object authorities for the owner, primary group, and public. You can also specify these authorities when you use the open() API to create a stream file. Alternatiely, when you use the open() API you can specify that the object should inherit all authorities from the parent directory. This is called inherit mode. When you specify inherit mode, the system then creates a complete match for the parent authorities, including authorization list, primary group, public authority, and priate authorities. This option works like specifying *INDIR on the CRTDIR command. Create an object by using a PC interface When you use a PC application to create an object in the root file system, the system automatically inherits all authority from the parent directory. This includes authorization list, primary group, public authority, and priate authorities. PC applications do not hae any equialent to specifying authority when you create an object. QFileSr.400 file system With the QFileSr.400 file system, a user (USERX) on one iseries system (SYSTEMA) can access data on another connected iseries system (SYSTEMB). The USERX has an interface that is just like the Client Access interface. The remote iseries serer (SYSTEMB) appears as a directory with all its file systems as subdirectories. When USERX attempts to access SYSTEMB with this interface, SYSTEMA sends USERX s user profile name and encrypted password to SYSTEMB. The same user profile and password must exist on SYSTEMB or SYSTEMB rejects the request. Chapter 12. Use Integrated File System to secure files 105

Network file system If SYSTEMB accepts the request, USERX appears to SYSTEMB just like any Client Access user. The same authority-checking rules apply to any actions that USERX attempts. As a security administrator, you need to be aware that the QFileSr.400 file system represents another possible door to your system. You cannot assume that you are limiting your remote users to an interactie sign on with display station passthrough. If you hae the QSERVER subsystem running and your system is connected to another iseries system, remote users can access your system as if they are on a local PC running Client Access. More than likely, your system will hae a connection that needs to hae the QSERVER subsystem running. This is yet another reason why a good object authority scheme is essential. The Network File System (NFS) proides access to and from systems that hae NFS implementations. NFS is an industry-standard method for sharing information among users on networked systems. Most major operating system (including PC operating systems) proide NFS. For UNIX systems, NFS is the primary method for accessing data. iseries serers can act as both an NFS client and an NFS serer. When you are the security administrator of an iseries system that acts as an NFS serer, you need to understand and manage the security aspects of NFS. Following are suggestions and considerations: You must explicitly start the NFS serer function by using the STRNFSSVR command. Control who has authority to use this command. You make a directory or an object aailable to NFS clients by exporting it. Therefore, you hae ery specific control oer which parts of your system you will make aailable to NFS clients in your network. When you export, you can specify which clients hae access to the objects. You identify a client by system name or IP address. A client can be an indiidual PC or an entire iseries serer or UNIX system. In NFS terminology, the client (IP address) is called a machine. When you export, you can specify read-only access or read/write access for each machine that has access to an exported directory or object. In most cases, you will probably want to proide read-only access. The NFS does not proide password protection. It is designed and intended for data sharing within a trusted community of systems. When a user requests access, the serer receies the user s uid. Following are some uid considerations: The iseries serer attempts to locate a user profile with the same uid. Ifit finds a matching uid, it uses the credentials of the user profile. Credentials is an NFS term to describe using the authority of a user. This is similar to profile swapping in other iseries serer applications. When you export a directory or object, you can specify whether you will allow access by a profile with root authority. The NFS serer on iseries serers equates root authority to *ALLOBJ special authority. If you specify that you will not allow root authority, an NFS user with a uid that maps to a user profile with *ALLOBJ special authority will not be able to will not be able to access the object under that profile. Instead, if anonymous access is allowed, the requester will be mapped to the anonymous profile. When you export a directory or object, you can specify whether you will allow anonymous requests. An anonymous request is a request with a uid that does not match any uid on your system. If you choose to allow anonymous requests, the system maps the anonymous user to the 106 Tips and tools for securing your iseries serer V5R2

IBM-supplied QNFSANON user profile. This user profile does not hae any special authorities or explicit authority. (On the export, you can specify a different user profile for anonymous requests if you want.) When your iseries serer participates in an NFS network (or any network with UNIX systems that depend on uids), you probably need to manage your own uids instead of letting the system assign them automatically. You will need to coordinate uids with other systems in your network. You might discoer that you need to change uids (een for IBM-supplied user profiles) to hae compatibility with other systems in your network. A program is aailable to make it simpler to change the uid for a user profile. (When you change the uid for a user profile, you also need to change the uid for all the objects that the profile owns in either the root directory or the QOpenSr directory.) The QSYCHGID program automatically changes the uid in both the user profile and all the owned objects. For information about how to use this program, see the iseries System API Reference book. Chapter 12. Use Integrated File System to secure files 107

108 Tips and tools for securing your iseries serer V5R2

Chapter 13. Secure APPC communications When your system participates in a network with other systems, a new set of doors and windows to your system becomes aailable. As security administrator, you should be aware of the options that you can use to control the entrances to your system in an APPC enironment. Adanced program-to-program communications (APPC) is a way that computers, including personal computers, communicate with each other. Display station passthrough, distributed data management, and iseries Access for Windows can all use APPC communications. The topics that follow proide some basic information about how APPC communications works and how you can set up appropriate security. These topics concentrate primarily on the security-releant elements of an APPC configuration. To adapt this example to your situation, you will need to work with the people who manage your communications network and perhaps your application proiders. Use this information as a foundation to help you understand the security issues and the options that are aailable for APPC. Security is neer free. Some suggestions for making network security easier may make network administration more difficult. For example, this information does not emphasize APPN (Adanced Peer-to-Peer Networking ), because security is easier to understand and manage without APPN. Howeer, without APPN, the network administrator must manually create configuration information that APPN creates automatically. PCs Use Communications, too Many methods for connecting PCs to your iseries serers depend on communications, such as APPC or TCP/IP. When you read the topics the following, be sure to consider the security issues for connecting both to other systems and to PCs. When you plan your network protection, make sure that you do not adersely affect the PCs that are attached to your system. APPC Terminology APPC proides the ability for a user on one system to perform work on another system. The system from which the request starts is called any of the following: Source system Local system Client The system that receies the request is called any of the following: Target system Remote system Serer Copyright IBM Corp. 1996, 2002 109

Basic elements of APPC communications From the perspectie of a security administrator, the following must happen before a user on one system (SYSTEMA) can perform meaningful work on another system (SYSTEMB): The source system (SYSTEMA) must proide a path to the target system (SYSTEMB). This path is called an APPC session. The target system must identify the user and associate the user with a user profile. The target system must support the encryption algorithm of the source system (see Password leels on page 20for more information). The target system must start a job for the user with an appropriate enironment (work management alues). The topics that follow discuss these elements and how they relate to security. The security administrator on the target system has primary responsibility for ensuring that APPC users do not iolate security. Howeer, when the security administrators on both systems work together, the job of managing APPC security is much easier. Example: A basic APPC session In an APPC enironment, when a user or application on one system requests access to another system, the two systems set up a session. To establish the session, the systems must link two matching APPC deice descriptions. The remote location name (RMTLOCNAME) parameter in the SYSTEMA deice description must match the local location name (LCLLOCNAME) parameter in the SYSTEMB deice description and ice ersa. For the two systems to establish an APPC session, the location passwords in the APPC deice descriptions on SYSTEMA and SYSTEMB must be identical. Both must specify *NONE, or both must specify the same alue. If the passwords are a alue other than *NONE, they are stored and transmitted in encrypted format. If the passwords match, the systems establish a session. If the passwords do not match, the user s request is rejected. When systems specify location passwords to establish a session, this is called a secure bind. Note: Not all computer systems proide support for the secure bind function. Restrict APPC sessions As security administrator on a source system, you can use object authority to control who can attempt to access other systems. Set the public authority for APPC deice descriptions to *EXCLUDE and gie *CHANGE authority to specific users. Use the QLMTSECOFR system alue to preent users with *ALLOBJ special authority from using APPC communications. As security administrator on a target system, you can also use authority to APPC deices to preent users from starting an APPC session on your system. Howeer, you need to understand what user ID will be attempting to access the APPC deice description. APPC user access to the target system on page 111 describes how iseries serers associates a user ID with a request for an APPC session. Note: You can use the Print Publicly Authorized Objects (PRTPUBAUT *DEVD) command and the Print Priate Authorities (PRTPVTAUT *DEVD) command to find out who has authority to deice descriptions on your system. 110 Tips and tools for securing your iseries serer V5R2

When your system uses APPN, it automatically creates a new APPC deice when no existing deice is aailable for the route that the system has chosen. One method for restricting access to APPC deices on a system that is using APPN is to create an authorization list. The authorization list contains the list of users who should be authorized to APPC deices. You then use the Change Command Default (CHGCMDDFT) command to change the CRTDEVAPPC command. For the authority (AUT) parameter on the CRTDEVAPPC command, set the default alue to the authorization list that you created. Note: If your system has a language other than English, you need to change the command default in the QSYSxxxx library for each national language that is on your system. You use the location password (LOCPWD) parameter in the APPC deice description to alidate the identity of another system that is requesting a session on your system (on behalf of a user or an application). The location password can help you detect an imposter system. When you use location passwords, you must coordinate with security administrators for other systems in the network. You must also control who can create or change APPC deice descriptions and configuration lists. The system requires *IOSYSCFG special authority to use the commands that work with APPC deices and configuration lists. Note: When you use APPN, the location passwords are stored in the QAPPNRMT configuration list rather than in deice descriptions. APPC user access to the target system When the systems establish the APPC session, they create a path for the requesting user to get to the door of the target system. Seeral other elements determine what the user must do to gain entrance to the other system. The topics that follow describe the elements that determine how an APPC user gains entrance to the target system. System methods for sending information about a user APPC architecture proides three methods for sending security information about a user from the source system to the target system. These methods are referred to as the architected security alues. Table 18 shows these methods: Note: The APPC Programming book proides more information about the architected security alues. Table 18. Security alues in the APPC architecture Architected security alue User ID sent to target system Password sent to target system None No No Same Yes 1 See note 2. Program Yes Yes 3 Chapter 13. Secure APPC communications 111

Table 18. Security alues in the APPC architecture (continued) Architected security alue User ID sent to target system Password sent to target system Notes: 1. The source system sends the user ID if the target system specifies SECURELOC(*YES) or SECURELOC(*VFYENCPWD). 2. The user does not enter a password on the request because the password is already erified by the source system. For SECURELOC(*YES) and SECURELOC(*NO), the source system does not send the password. For SECURELOC(*VFYENCPWD), the source system retriees the stored, encrypted password and sends it (in encrypted form). 3. The system sends the password in encrypted form if both the source and target systems support password encryption. Otherwise, the password is not encrypted. The application that the user requests determines the architected security alue. For example, SNADS always uses SECURITY(NONE). DDM uses SECURITY(SAME). With display station passthrough, the user specifies the security alue by using parameters on the STRPASTHR command. In all cases, the target system chooses whether to accept a request with the security alue that is specified on the source system. In some situations, the target system may reject the request completely. In other situations, the target system may force a different security alue. For example, when a user specifies both a user ID and a password on the STRPASTHR command, the request uses SECURITY(PGM). Howeer, if the QRMTSIGN system alue is *FRCSIGNON on the target system, the user still sees a Sign On display. With the *FRCSIGNON setting, the systems always use SECURITY(NONE), which is the equialent of the user entering no user ID and password on the STRPASTHR command. Notes: 1. The source and target systems negotiate the security alue before data is sent. In the situation where the target system specifies SECURELOC(*NO) and the request is SECURITY(SAME), for example, the target system tells the source system to use SECURITY(NONE). The source system does not send the user ID. 2. The target system rejects a session request when the user s password on the target system has expired. This applies only to connection requests that send a password, including the following: Session requests of type SECURITY(PROGRAM). Session requests of type SECURITY(SAME) when the SECURELOC alue is *VFYENCPWD. Options for diiding network security responsibility When your system participates in a network, you must decide whether to trust the other systems to alidate the identity of a user who is trying to enter your system. Will you trust SYSTEMA to ensure that USERA is really USERA (or QSECOFR is really QSECOFR)? Or will you require a user to proide a user ID and password again? The secure location (SECURELOC) parameter on the APPC deice description on the target system specifies whether the source system is a secure (trusted) location. 112 Tips and tools for securing your iseries serer V5R2

When both systems are running a release that supports *VFYENCPWD, SECURELOC(*VFYENCPWD) proides additional protection when applications use SECURITY(SAME). Although the requester does not enter a password on the request, the source system retriees the user s password and sends it with the request. For the request to be successful, the user must hae the same user ID and password on both systems. When the target system specifies SECURELOC(*VFYENCPWD) and the source system does not support this alue, the target system handles the request as SECURITY(NONE). Table 19 shows how the architected security alue and the SECURELOC alue work together: Table 19. How the APPC security alue and the SECURELOC alue work together Source system Target system Architected SECURELOC alue security alue User profile for job None Any Default user 1 Same *NO Default user 1 *YES Same user profile name as requester from source system *VFYENCPWD Same user profile name as requester from source system. The user must hae the same password on both systems. Program Any The user profiles that is specified on the request from the source system. Notes: 1. The default user is determined by the communications entry in the subsystem description. Target system assignment of user profiles for jobs describes this. Target system assignment of user profiles for jobs When a user requests an APPC job on another system, the request has a mode name associated with it. The mode name may come from the user s request, or it may be a default alue from the network attributes of the source system. The target system uses the mode name and the APPC deice name to determine how the job will run. The target system searches the actie subsystems for a communications entry that is the best match for the APPC deice name and the mode name. The communications entry specifies what user profile the system will use for SECURITY(NONE) requests. Following is an example of a communications entry in a subsystem description: Chapter 13. Secure APPC communications 113

Display Communications Entries Subsystem description: QCMN Status: ACTIVE Job Default Max Deice Mode Description Library User Actie *ALL *ANY *USRPRF *SYS *NOMAX *ALL QPCSUPP *USRPRF *NONE *NOMAX Table 20 shows the possible alues for the default user parameter in a communications entry: Table 20. Possible alues for the default user parameter Value Result *NONE *SYS user-name No default user is aailable. If the source system does not supply a user ID on the request, the job will not run. Only IBM-supplied programs (system jobs) will run. No user applications will run. If the source system does not send a user ID, the job runs under this user profile. You can use the Print Subsystem Description (PRTSBSDAUT) command to print a list of all subsystems that hae communications entries with a default user profile. Display station passthrough options Display station passthrough is an example of an application that uses APPC communications. You can use display station passthrough to sign on to another system that is connected to your system through a network. Table 21 shows examples of passthrough requests (STRPASTHR command) and how the target system handles them. For display station passthrough, the system uses the basic elements of APPC communications and the remote sign-on (QRMTSIGN) system alue. Note: Display Station Passthrough requests are no longer routed through the QCMN or QBASE subsystems. Beginning with V4R1, they are routed through the QSYSWRK subsystem. Prior to V4R1 you could assume that by not haing QCMD or QBASE subsystems started, Display Station Passthrough would not work. This is no longer true. You can force Display Station Passthrough to go through QCMN (or QBASE if it is actie) by changing the QPASTHRSVR system alue to 0. Table 21. Sample pass-through sign-on requests Values on STRPASTHR command Target system User ID Password SECURELOC alue QRMTSIGN alue result *NONE *NONE Any Any The user must sign on the target system. A user profile name Not entered Any Any The request fails. 114 Tips and tools for securing your iseries serer V5R2

Table 21. Sample pass-through sign-on requests (continued) Values on STRPASTHR command Target system User ID Password SECURELOC alue QRMTSIGN alue result *CURRENT Not entered *NO Any The request fails *YES *SAMEPRF *VERIFY An interactie job starts with the same user profile name as the user profile on the source system. No password is passed to the remote system. The user profile name must exist on the target system. *FRCSIGNON The user must sign on the target system. *VFYENCPWD *SAMEPRF *VERIFY An interactie job starts with the same user profile name as the user profile on the source system. The source system retriees the user s password and sends it to the remote system. The user profile name must exist on the target system. *CURRENT (or the name of the current user profile for the job) A user profile name (a name different from the current user profile for the job) *FRCSIGNON The user must sign on the target system. Entered Any *SAMEPRF *VERIFY An interactie job starts with the same user profile name as the user profile on the source system. The password is sent to the remote system. The user profile name must exist on the target system. *FRCSIGNON The user must sign on the target system. Entered Any *SAMEPRF The request fails. *VERIFY An interactie job starts with the same user profile name as the user profile on the source system. The password is sent to the remote system. The user profile name must exist on the target system. *FRCSIGNON An interactie job starts with the specified user profile name. The password is sent to the target system. The user profile name must exist on the target system. Chapter 13. Secure APPC communications 115

Aoid unexpected deice assignments When a failure occurs on an actie deice, the system attempts to recoer. In some circumstances, when the connection is broken, another user can unintentionally reestablish the session that had the failure. For example, assume that USERA powered off a workstation without signing off. USERB could power on the workstation and restart USERA s session without signing on. To preent this possibility, set the Deice I/O Error Action (QDEVRCYACN) system alue to *DSCMSG. When a deice fails, the system will end the user s job. Control remote commands and batch jobs Seeral options are aailable to help you control what remote commands and jobs can run on your system, including the following: If your system uses DDM, you can restrict access to DDM files to preent users from using the Submit Remote Command (SBMRMTCMD) command from another system. To use the SBMRMTCMD, the user must be able to open a DDM file. You also need to restrict the ability to create DDM files. You can specify an exit program for the DDM request access (DDMACC) system alue. In the exit program, you can ealuate all DDM requests before allowing them. You can use the network job action (JOBACN) network attribute to preent network jobs from being submitted or to preent them from running automatically. You can specify explicitly which program requests can run in a communications enironment by remoing the PGMEVOKE routing entry from subsystem descriptions. The PGMEVOKE routing entry allows the requester to specify the program that runs. When you remoe this routing entry from subsystem descriptions, such as the QCMN subsystem description, you must add routing entries for the communications requests that need to run successfully. Architected TPN requests on page 91 lists the program names for the communications requests by IBM-supplied applications. For each request that you want to allow, you can add a routing entry with the compare alue and the program name both equal to the program name. When you use this method, you need to understand the work management enironment on your system and the types of communications requests that occur on your system. If possible, you should test all types of communications requests to ensure that they work properly after you change the routing entries. When a communications request does not find an aailable routing entry, you receie a CPF1269 message. Another alternatie (less error-prone but perhaps slightly less effectie) is to set the public authority to *EXCLUDE for the transaction programs that you do not want to run on your system. Note: The Work Management book proides more information about routing entries and how the system handles program-start requests. Ealuate your APPC configuration You can use the Print Communications Security (PRTCMNSEC) command or menu options to print the security-releant alues in your APPC configuration. The topics that follow describe the information on the reports. 116 Tips and tools for securing your iseries serer V5R2

Releant parameters for APPC deices Figure 9 shows an example of the Communications Information Report for deice descriptions. Figure 10 shows an example of the report for configuration lists. Following the reports are explanations of fields on the reports. Communications Information (Full Report) SYSTEM4 Object type...: *DEVD Pre SNUF Object Object Deice Secure Location APPN Single Establish Program Name Type Category Location Password Capable Session Session Start CDMDEV1 *DEVD *APPC *NO *NO *NO *YES *NO CDMDEV2 *DEVD *APPC *NO *NO *NO *YES *NO Figure 9. APPC Deice Descriptions-Sample Report Display Configuration List Page 1 SYSTEM4 12/17/95 07:24:36 Configuration list........ : QAPPNRMT Configuration list type..... : *APPNRMT Text............... : -----------------APPN Remote Locations------------------ Remote Remote Control Remote Network Local Control Point Secure Location ID Location Point Net ID Loc SYSTEM36 APPN SYSTEM4 SYSTEM36 APPN *NO SYSTEM32 APPN SYSTEM4 SYSTEM32 APPN *NO SYSTEMU APPN SYSTEM4 SYSTEM33 APPN *YES SYSTEMJ APPN SYSTEM4 SYSTEMJ APPN *NO SYSTEMR2 APPN SYSTEM4 SYSTEM1 APPN *NO --------------------------APPN Remote Locations--------------------------- Remote Local Pre- Remote Network Local Single Number of Control established Location ID Location Session Conersations Point Session SYSTEM36 APPN SYSTEM4 *NO 10 *NO *NO SYSTEM32 APPN SYSTEM4 *NO 10 *NO *NO Figure 10. Configuration List Report-Example Secure location field The secure location (SECURELOC) field specifies whether the local system trusts the remote system to do password erification on behalf of the local system. The SECURELOC field applies only to applications that use the SECURITY(SAME) alue, such as DDM and applications that use the CPI-Communications API. SECURELOC(*YES) makes the local system ulnerable to possible weaknesses in the remote system. Any user that exists on both systems can call programs on the local system. This is particularly dangerous because the QSECOFR (security officer) user profile exists on all iseries systems and has *ALLOBJ special authority. If a system in the network does not do a good job of protecting the QSECOFR password, other systems that treat that system as a secure location are at risk. When you use SECURELOC(*VFYENCPWD), your system is less ulnerable to other systems that do not adequately protect passwords. A user who requests an application that uses SECURITY(SAME) must hae the same user ID and password on both systems. SECURELOC(*VFYENCPWD) requires password administration policies across your network so that users hae the same password on all systems. Chapter 13. Secure APPC communications 117

Note: SECURELOC(*VFYENCPWD) is supported only between systems that are running V3R2, V3R7, or V4R1. If the target system specifies SECURELOC(*VFYENCPWD) and the source system does not support this function, the request is treated as SECURITY(NONE). If a system specifies SECURELOC(*NO), applications that use SECURITY(SAME) will need a default user to run programs. The default user depends on both the deice description and the mode that are associated with the request. (See Target system assignment of user profiles for jobs on page 113.) Location password field The location password field determines whether the two systems will exchange passwords to erify that the requesting system is not an imposter system. Example: A basic APPC session on page 110 proides more information about location passwords. APPN Capable field The APPN-capable (APPN) field specifies whether the remote system can support adanced networking functions or is limited to single-hop connections. APPN(*YES) means the following: If the remote system is a network node, the remote system may be capable of connecting the local system to other systems. This is called intermediate node routing. It means that users on your system may be able to use the remote system as a route to a larger network. If the local system is a network node, the remote system can use the local system to connect to other systems. Users on the remote system may be able to use your system as a route to a larger network. Note: You can use the DSPNETA command to determine whether a system is a network node or an end node. Single session field The single session (SNGSSN) field specifies whether the remote system can run more than one session at a time by using the same APPC deice description. SNGSSN(*NO) is commonly used because it eliminates the need to create multiple deice descriptions for a remote system. For example, a PC user often wants more than one 5250-emulation session and sessions for file-serer and print-serer functions. With SNGSSN(*NO), you can proide this function with one deice description for the PC on the iseries system. SNGSSN(*NO) means that you must rely on the security-conscious operating procedures of PC users and other APPC users. Your system is ulnerable to someone on the remote system who starts an unauthorized session that uses the same deice description as an existing session. (This practice is sometimes referred to as piggy-backing.) Pre-establish session field The pre-establish (PREESTSSN) session field for a single-session deice controls whether the local system starts a session with the remote system when the remote system first contacts the local system. PREESTSSN(*NO) means that the local system waits to start a session until an application requests a session with the system. PREESTSSN(*YES) is useful for minimizing how long it takes for an application program to complete the connection. PREESTSSN(*YES) preents the system from disconnecting a switched (dial-up) line that is no longer being used. The application or the user must explicitly ary 118 Tips and tools for securing your iseries serer V5R2

off the line. PREESTSSN(*YES) may lengthen the time that the local system is ulnerable to piggy-backing on the session. SNUF Program start field The SNUF program start field specifies whether the remote system is allowed to start programs on the local system. *YES means that the object authority scheme on the local system must be adequate to protect objects when users on the remote system start jobs and run programs on the local system. Parameters for APPC controllers Figure 11 shows an example of the Communications Information Report for controller descriptions. Following the report, you will find explanations of fields on the report. Object type......... : *CTLD Communications Information (Full Report) SYSTEM4 Object Object Controller Auto Switched Call APPN CP Disconnect Delete Deice Name Type Category Create Controller Direction Capable Sessions Timer Seconds Name CTL01 *CTLD *APPC *YES *YES *DIAL *YES *YES 0 1440 AARON CTL02 *CTLD *APPC *YES *YES *DIAL *YES *YES 0 1440 BASIC CTL03 *CTLD *APPC *YES *YES *DIAL *YES *YES 0 1440 *NONE Figure 11. APPC Controller Descriptions-Sample Report Auto-create field On a line description, the auto-create (AUTOCRTCTL) field specifies whether the local system automatically creates a controller description when an incoming request cannot find a matching controller description. On a controller description, the auto-create (AUTOCRTDEV) field specifies whether the local system automatically creates a deice description when an incoming request cannot find a matching deice description. For controllers that are APPN-capable, the auto-create field has no effect. The system automatically creates deice descriptions when necessary, regardless of how you hae set the auto-create field. When you specify *YES for a line description, anyone with access to the line can connect to your system. This includes sites that are connected by bridges and routers. Control point sessions field For APPN-capable controllers, the control point sessions (CPSSN) field controls whether the system establishes an APPC connection with the remote system automatically. The system uses the CP session to exchange network information and status with the remote system. The exchange of up-to-date information between APPN network nodes is particularly important so that your network functions smoothly. When you specify *YES, an idle switched line does not disconnect automatically. This makes your system more ulnerable to a piggy-back session. Disconnect timer field For an APPC controller, the disconnect timer field specifies how long a controller must be unused (no actie sessions) before the system disconnects the line to the remote system. This field has two alues. The first alue specifies how long the controller will stay actie from the time it is initially contacted. The second alue Chapter 13. Secure APPC communications 119

determines how long the system waits after the last session has ended on the controller before the system drops the line. The system uses the disconnect timer only when the switched disconnect (SWTDSC) field is *YES. If you make these alues large, your system is more ulnerable to piggy-back sessions. Parameters for line descriptions Figure 12 shows an example of the Communications Information Report for line descriptions. Following the report, you will find explanations of fields on the report. Communications Information (Full Report) Object type...: *LIND Auto Object Object Line Auto Delete Auto Auto Name Type Category Create Seconds Answer Dial LINE01 *LIND *SDLC *NO 0 *NO *NO LINE02 *LIND *SDLC *NO 0 *YES *NO LINE03 *LIND *SDLC *NO 0 *NO *NO LINE04 *LIND *SDLC *NO 0 *YES *NO Figure 12. APPC Line Descriptions-Sample Report Auto answer field The auto answer (AUTOANS) field specifies whether the switched line will accept incoming calls without operator interention. When you specify *YES, your system is less secure because it can be accessed more easily. To minimize the security exposure when you specify *YES, you should ary off the line when you do not need it. Auto dial field The auto dial (AUTODIAL) field specifies whether the switched line can make outgoing calls without operator interention. When you specify *YES, you allow local users who do not hae physical access to communications lines and modems to connect to other systems. 120 Tips and tools for securing your iseries serer V5R2

Chapter 14. Secure TCP/IP communications Preent TCP/IP processing TCP/IP security components TCP/IP (Transmission Control Protocol/Internet Protocol) is a common way that computers of all types communicate with each other. TCP/IP applications are well-known and widely used throughout the information highway. This chapter proides tips for the following: Preenting TCP/IP applications from running on your system. Protecting system resources when you allow TCP/IP applications to run on your system. The iseries Information Center >Networking >TCP/IP website is a complete source for information about all of the TCP/IP applications. SecureWay : iseries and the Internet (iseries Information Center >Security >SecureWay describes security considerations when you connect your iseries serer either to the Internet (a ery large TCP/IP network) or to an intranet. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Keep in mind that iseries serers support many possible TCP/IP applications. When you decide to allow one TCP/IP application on your system, you may also be enabling other TCP/IP applications. As security administrator, you need to be aware of the range of TCP/IP applications and the security implications of these applications. TCP/IP serer jobs run in the QSYSWRK subsystem. You use the Start TCP/IP (STRTCP) command to start TCP/IP on your system. If you do not want any TCP/IP processing or applications to run, do not use the STRTCP command. Your system ships with the public authority for the STRTCP command set to *EXCLUDE. If you suspect that someone with access to the command is starting TCP/IP (during off-hours, for example), you can set up object auditing on the STRTCP command. The system will write an audit journal entry wheneer a user runs the command. You can take adantage of seeral TCP/IP security components that enhance your network security and add flexibility. Though some of these technologies are also found in firewall products, these TCP/IP security components for OS/400 are not intended to be used as a firewall. Howeer, you may be able to use some of these features, in some instances to eliminate the need for a separate firewall product. You also may be able to use these TCP/IP features to proide additional security in enironments where you already use a firewall. The following components can be utilized to enhance TCP/IP Security: Packet Rules HTTP Proxy Serer VPN (irtual priate networking) SSL (secure sockets layer) Copyright IBM Corp. 1996, 2002 121

Use packet rules to secure TCP/IP traffic Packet rules, which is the combination of IP filtering and network address translation (NAT) acts like a firewall to protect your internal network from intruders. IP filtering lets you control what IP traffic to allow into and out of your network. Basically, it protects your network by filtering packets according to rules that you define. NAT, on the other hand, allows you to hide your unregistered priate IP addresses behind a set of registered IP addresses. This helps to protect your internal network from outside networks. NAT also helps to alleiate the IP address depletion problem, since many priate addresses can be represented by a small set of registered addresses. See the iseries Information Center for more details. HTTP proxy serer The HTTP proxy serer comes with the IBM HTTP Serer for iseries serer. The HTTP Serer is part of OS/400. The proxy serer receies HTTP requests from Web browsers and resends them to Web serers. Web serers that receie the requests are only aware of the IP address of the proxy serer and cannot determine the names or addresses of the PCs that originated the requests. The proxy serer can handle URL requests for HTTP, FTP, Gopher and WAIS. The proxy serer caches returned Web pages from requests made by all proxy serer users. Consequently, when users request a page, the proxy serer checks whether the page is in the cache. If it is, the proxy serer returns the cached page. By using cached pages, the proxy serer is able to serer Web pages more quickly, which eliminates potentially time-consuming requests to the Web serer. The proxy serer can also log all URL requests for tracking purposes. You can then reiew the logs to monitor use and misuse of network resources. You can use the HTTP proxy support in the IBM HTTP Serer to consolidate Web access. Addresses of PC clients are hidden from the Web serers they access; only the IP address of the proxy serer is known. Web page caching can also reduce communication bandwidth requirements and firewall workload. See the IBM HTTP Serer for iseries Homepage for more information: http://www- 1.ibm.com/serers/eserer/iseries/software/http/index.html Virtual Priate Networking (VPN) A irtual priate network (VPN) allows your company to securely extend its priate intranet oer the existing framework of a public network, such as the Internet. With VPN, your company can control network traffic while proiding important security features such as authentication and data priacy. OS/400 VPN is an optionally-installable component of iseries Naigator, the graphical user interface (GUI) for OS/400. It allows you to create a secure end-to-end path between any combination of host and gateway. OS/400 VPN uses authentication methods, encryption algorithms, and other precautions to ensure that data sent between the two endpoints of its connection remains secure. VPN runs on the network layer of the TCP/IP layered communications stack model. Specifically, VPN uses the IP Security Architecture (IPSec) open framework. IPSec proides base security functions for the Internet, as well as furnishes flexible building blocks from which you can create robust, secure irtual priate networks. 122 Tips and tools for securing your iseries serer V5R2

VPN also supports Layer 2 Tunnel Protocol (L2TP) VPN solutions. L2TP connections, which are also called irtual lines, proide cost-effectie access for remote users by allowing a corporate network serer to manage the IP addresses assigned to its remote users. Further, L2TP connections proide secure access to your system or network when you protect them with IPSec. It is important that you understand the impact a VPN will hae on your entire network. Proper planning and implementation are essential to your success. You should reiew the VPN topic in the iseries Information Center to ensure that you know how VPNs work and how you might use them. For more information, see the iseries Information Center >Security >Virtual Priate Networking. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) has become an industry standard for enabling applications for secure communication sessions oer an unprotected network, such as the Internet. The SSL protocol establishes a secure connections between clients and serer applications which proide authentication of one or both endpoints of the communication session. SSL also proides priacy and integrity of the data that client and serer applications exchange. For more information, see the iseries Information Center >Security >Secure Sockets Layer (SSL). See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Secure your TCP/IP enironment This topic proides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP enironment on your system. These tips apply to your entire TCP/IP enironment rather than to the specific applications that are discussed in the topics that follow. When you write an application for a TCP/IP port, make sure that the application is properly secure. You should assume that an outsider might try to access that application through that port. A knowledgeable outsider may attempt to TELNET to that application. Monitor the use of TCP/IP ports on your system. A user application that is associated with a TCP/IP port can proide back-door entry to your system without a user ID or a password. Someone with sufficient authority on your system can associate an application with a TCP or UDP port. As a security administrator, you should be aware of a technique called IP spoofing that is used by hackers. Eery system in a TCP/IP network has an IP address. Someone who uses IP spoofing sets up a system (usually a PC) to pretend to be an existing IP address or a trusted IP address. Thus, the imposter can establish a connection with your system by pretending to be a system that you normally connect with. If you run TCP/IP on your system and your system participates in a network that is not physically protected (all nonswitched lines and predefined links), you are ulnerable to IP spoofing. To protect your system from damage by a spoofer, start with the suggestions in this chapter, such as sign-on protection and object security. You should also ensure that your system has reasonable auxiliary storage limits set. This preents a spoofer from flooding your system with mail or spooled files to the point that your system becomes inoperable. Chapter 14. Secure TCP/IP communications 123

In addition, you should regularly monitor TCP/IP actiity on your system. If you detect IP spoofing, you can try to discoer the weak points in your TCP/IP setup and to make adjustments. For your intranet (network of systems that do not need to connect directly to the outside), use IP addresses that are reusable. Reusable addresses are intended for use within a priate network. The Internet backbone does not route packets that hae a reusable IP address. Therefore, reusable addresses proide an added layer of protection inside your firewall. The iseries Information Center >Networking >TCP/IP website proides more information about how IP addresses are assigned and about the ranges of IP addresses, as well as security information about TCP/IP. If you are considering connecting your system to the Internet or an intranet, reiew the security information atsecureway: iseries and the Internet (iseries Information Center >Security >SecureWay). See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Control which TCP/IP serers start automatically As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP. Two commands are aailable for starting TCP/IP. For each command, the system uses a different method to determine which applications (serers) to start. Table 22 shows the two commands and security recommendations for them. Table 23 on page 125 shows the default autostart alues for the serers. To change the autostart alue for a serer, use the CHGxxxA (Change xxx Attributes) command for the serer. For example, the command for TELNET is CHGTELNA. Table 22. How TCP/IP commands determine which serers to start Command What serers start Security recommendations Start TCP/IP (STRTCP) Start TCP/IP Serer (STRTCPSVR) The system starts eery serer that specifies AUTOSTART(*YES). Table 23 on page 125 shows the shipped alue for each TCP/IP serer. You use a parameter to specify which serers to start. The default when this command ships is to start all serers. Assign *IOSYSCFG special authority carefully to control who can change the autostart settings. Carefully control who has authority to use the STRTCP command. The default public authority for the command is *EXCLUDE. Set up object auditing for the Change serer-name Attributes commands (such as CHGTELNA) to monitor users who attempt to change the AUTOSTART alue for a serer. Use the Change Command Default (CHGCMDDFT) command to set up the STRTCPSVR command to start only a specific serer. This does not preent users from starting other serers. Howeer, by changing the command default, you make it less likely that users will start all serers by accident. For example, use the following command to set the default to start only the TELNET serer:chgcmddft CMD(STRTCPSVR) NEWDFT( SERVER(*TELNET) ) Note: When you change the default alue, you can specify only a single serer. Choose either a serer that you use regularly or a serer that is least likely to cause security exposures (such as TFTP). Carefully control who has authority to use the STRTCPSVR command. The default public authority for the command is *EXCLUDE. 124 Tips and tools for securing your iseries serer V5R2

The following table contains autostart alues for TCP/IP serers. For more information on each of these serers, see the iseries Information Center (Networking >TCP/IP). See Prerequisite and related information on page xii for details on accessing the iseries Information Center. Table 23. Autostart alues for TCP/IP serers Serer Default alue Your alue TELNET AUTOSTART(*YES) FTP (file transfer protocol) BOOTP (Bootstrap Protocol) TFTP (triial file transfer protocol) REXEC (Remote EXECution serer) RouteD (Route Daemon) SMTP (simple mail transfer protocol) POP (Post Office Protocol) HTTP (Hypertext Transfer Protocol) 1 ICS (Internet Connection Serer) 1 LPD (line printer daemon) SNMP (Simple Network Management Protocol (SNMP)) DNS (domain name system) DDM DHCP (dynamic host configuration protocol) NSMI INETD AUTOSTART(*YES) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*YES) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*YES) AUTOSTART(*YES) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) AUTOSTART(*NO) Notes: 1. With the IBM HTTP Serer for iseries serer, you use the CHGHTTPA command to set the AUTOSTART alue. Security considerations for using SLIP iseries serer TCP/IP support includes Serial Interface Line Protocol (SLIP). SLIP proides low-cost point-to-point connectiity. A SLIP user can connect to a LAN or a WAN by establishing a point-to-point connection with a system that is part of the LAN or WAN. SLIP runs on an asynchronous connection. You can use SLIP for dial-up connection to and from iseries serers. For example, you might use SLIP to dial in from your PC to an iseries system. After the connection is established, you can use the TELNET application on your PC to connect to the iseries TELNET serer. Or, you can use the FTP application to transfer files between the two systems. No SLIP configuration exists on your system when it ships. Therefore, if you do not want SLIP (and dial-up TCP/IP) to run on your system, do not configure any configuration profiles for SLIP. You use the Work with TCP/IP Point-to-Point (WRKTCPPTP) command to create SLIP configurations. You must hae *IOSYSCFG special authority to use the WRKTCPPTP command. Chapter 14. Secure TCP/IP communications 125

If you want SLIP to run on your system, you create one or more SLIP (point-to-point) configuration profiles. You can create configuration profiles with the following operating modes: Dial in (*ANS) Dial out (*DIAL) The topics that follow discuss how you can set up security for SLIP configuration profiles. Note: A user profile is an iseries serer object that allows sign-on. Eery iseries serer job must hae a user profile to run. A configuration profile stores information that is used to establish a SLIP connection with an iseries system. When you start a SLIP connection to iseries serers, you are simply establishing a link. You hae not yet signed on and started an iseries serer job. Therefore, you do not necessarily need a user profile to start a SLIP connection to iseries serers. Howeer, as you will see in the discussions that follow, the SLIP configuration profile may require a user profile to determine whether to allow the connection. Control dial-in SLIP connections Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile. To create or change a SLIP configuration profile, you use the Work with TCP/IP Point-to-Point (WRKTCPPTP) command. To start a configuration profile, you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option from the WRKTCPPTP display. When your system ships, the public authority for the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change, and delete SLIP configuration profiles are aailable only if you hae *IOSYSCFG special authority. As security administrator, you can use both command authority and special authority determine who can set up your system to allow dial-in connections. Secure a dial-in SLIP connection If you want to alidate systems that dial in to your system, then you want the requesting system to send a user ID and a password. Your system can then erify the user ID and password. If the user ID and password are not alid, your system can reject the session request. To set up dial-in alidation, do the following: Step 1. Create a user profile that the requesting system can use to establish the connection. The user ID and password that the requester sends must match this user profile name and password. Note: For the system to perform password alidation, the QSECURITY system alue must be set to 20 or higher. As additional protection, you probably want to create user profiles specifically for establishing SLIP connections. The user profiles should hae limited authority on the system. If you do not plan to use the profiles for any function except establishing SLIP connections, you can set the following alues in the user profiles: An initial menu (INLMNU) of *SIGNOFF An initial program (INLPGM) of *NONE. Limit capabilities (LMTCPB) of *YES 126 Tips and tools for securing your iseries serer V5R2

Step 2. Step 3. Step 4. These alues preent anyone from signing on interactiely with the user profile. Create an authorization list for the system to check when a requester tries to establish a SLIP connection. Note: You specify this authorization list in the System access authorization list field when you create or change the SLIP profile. (See step 4.) Use the Add Authorization Entry (ADDAUTLE) command to add the user profile that you created in step 1 to the authorization list. You can create a unique authorization list for each point-to-point configuration profile, or you can create an authorization list that seeral configuration profiles share. Use the WRKTCPPTP command to set up a TCP/IP point-to-point *ANS profile that has the following characteristics: The configuration profile must use a connection dialog script that includes the user-alidation function. User alidation includes accepting a user ID and password from the requester and alidating them. The system ships with seeral sample dialog scripts that proide this function. The configuration profile must specify the name of the authorization list that you created in step 2. The user ID that the connection dialog script receies must be in the authorization list. Keep in mind that the alue of setting up dial-in security is affected by the security practices and capabilities of the systems that dial in. If you require a user ID and password, then the connection dialog script on the requesting system must send that user ID and password. Some systems, such as iseries serers, proide a secure method for storing the user IDs and passwords. ( Security and dial-out sessions on page 128 describes the method.) Other systems store the user ID and password in the script which might be accessible to anyone who knows where to find the script on the system. Because of the differing security practices and capabilities of your communications partners, you might want to create different configuration profiles for different requesting enironments. You use STRTCPPTP command to set your system up to accept a session for a specific configuration profile. You can start sessions for some configuration profiles only at certain times of the day, for example. You might use security auditing to log the actiity for the associated user profiles. Preent dial-in users from accessing other systems Depending on your system and network configuration, a user who starts a SLIP connection might be able to access another system in your network without signing on to your system. For example, a user could establish a SLIP connection to your system. Then the user could establish an FTP connection to another system in your network that does not allow dial-in. You can preent a SLIP user from accessing other systems in your network by specifying N (No) for the Allow IP datagram forwarding field in the configuration profile. This preents a user from accessing your network before the user logs on to your system. Howeer, after the user has successfully logged on to your system, the datagram forwarding alue has no effect. It does not limit the user s ability to use a TCP/IP application on your iseries system (such as FTP or TELNET), to establish a connection with another system in your network. Chapter 14. Secure TCP/IP communications 127

Control dial-out sessions Before someone can use SLIP to establish a dial-out connection from your system, you must start a SLIP *DIAL configuration profile. To create or change a SLIP configuration profile, you use the WRKTCPPTP command. To start a configuration profile, you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option from the WRKTCPPTP display. When your system ships, the public authority for the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change, and delete SLIP configuration profiles are aailable only if you hae *IOSYSCFG special authority. As security administrator, you can use both command authority and special authority determine who can set up your system to allow dial-out connections. Security and dial-out sessions Users on your iseries system might want to establish dial-out connections to systems that require user alidation. The connection dialog script on your iseries serer must send a user ID and a password to the remote system. iseries serers proide a secure method for storing that password. The password does not need to be stored in the connection dialog script. Notes: 1. Een though your system stores the connection password in encrypted form, your system decrypts the password before sending it. SLIP passwords, like FTP and TELNET passwords, are sent unencrypted ( in the clear ). Howeer, unlike with FTP and TELNET, the SLIP password is sent before the systems establish TCP/IP mode. Because SLIP uses a point-to-point connection in asynchronous mode, the security exposure when sending unencrypted passwords is different from the exposure with FTP and TELNET passwords. Unencrypted FTP and TELNET passwords might be sent as IP traffic on a network and are, therefore, ulnerable to electronic sniffing. The transmission of your SLIP password is as secure as the telephone connection between the two systems. 2. The default file for storing SLIP connection dialog scripts is QUSRSYS/QATOCPPSCR. The public authority for this file is *USE, which preents public users from changing the default connection dialog scripts. When you create a connection profile for a remote session that requires alidation, do the following: Step 1. Step 2. Ensure that the Retain Serer Security Data (QRETSVRSEC) system alue is 1 (Yes). This system alue determines whether you will allow passwords that can be decrypted to be stored in a protected area on your system. Use the WRKTCPPTP command to create a configuration profile that has the following characteristics: For the mode of the configuration profile, specify *DIAL. For the Remote serice access name, specify the user ID that the remote system expects. For example, if you are connecting to another iseries serer, specify the user profile name on that iseries serer. For the Remote serice access password, specify the password that the remote system expects for this user ID. On your iseries serer, this password is stored in a protected area in a form that can be decrypted. The names and passwords that you assign for configuration profiles are associated with the QTCP user profile. The 128 Tips and tools for securing your iseries serer V5R2

names and passwords are not accessible with any user commands or interfaces. Only registered system programs can access this password information. Note: Keep in mind that the passwords for your connection profiles are not saed when your sae the TCP/IP configuration files. To sae SLIP passwords, you need to use the Sae Security Data (SAVSECDTA) command to sae the QTCP user profile. For the connection dialog script, specify a script that sends the user ID and password. The system ships with seeral sample dialog scripts that proide this function. When the system runs the script, the system retriees the password, decrypts it, and sends it to the remote system. Security considerations for point-to-point protocol Point-to-point protocol (PPP) is aailable as part of TCP/IP. PPP is an industry standard for point-to-point connections that proides additional function oer what is aailable with SLIP. With PPP, your iseries serer can hae high-speed connections directly to an Internet Serice Proider or to other systems in an intranet or extranet. Remote LANs can realistically make dial-in connections to your iseries serer. Remember that PPP, like SLIP, proides a network connection to your iseries serer. A PPP connection essentially brings the requester to your system s door. The requester still needs a user ID and password to enter your system and connect to a TCP/IP serer like TELNET or FTP. Following are security considerations with this new connection capability: Note: You configure PPP by using iseries Naigator on an IBM iseries Access for Windows workstation. PPP proides the ability to hae dedicated connections (where the same user always has the same IP address). With a dedicated address, you hae the potential for IP spoofing (an imposter system that pretends to be a trusted system with a known IP address). Howeer, the enhanced authentication capabilities that PPP proides help protect against IP spoofing. With PPP, as with SLIP, you create connection profiles that hae a user name and an associated password. Howeer, unlike SLIP, the user does not need to hae a alid user profile and password. The user name and password are not associated with a user profile. Instead, alidation lists are used for PPP authentication. Additionally, PPP does not require a connection script. The authentication (exchange of user name and password) is part of the PPP architecture and happens at a lower leel than with SLIP. With PPP, you hae the option to use CHAP (challenge handshake authentication protocol). You will no longer need to worry about an eaesdropper sniffing passwords because CHAP encrypts user names and passwords. Your PPP connection uses CHAP only if both sides hae CHAP support. During the exchange signals to set up communications between two modems, the two systems negotiate. For example, if SYSTEMA supports CHAP and SYSTEMB does not, SYSTEMA can either deny the session or agree to use an unencrypted user name and password. Agreeing to use an unencrypted user name and password is referred to as negotiating down. The decision to negotiate down is a configuration option. On your intranet, for example, where you know that all Chapter 14. Secure TCP/IP communications 129

your systems hae CHAP capability, you should configure your connection profile so that it will not negotiate down. On a public connection where your system is dialing out, you might be willing to negotiate down. The connection profile for PPP proides the ability to specify alid IP addresses. You can, for example, indicate that you expect a specific address or range of addresses for a specific user. This capability, together with the ability for encrypted passwords, proides further protection against spoofing. As additional protection against spoofing or piggy-backing on an actie session, you can configure PPP to rechallenge at designated interals. For example, while a PPP session is actie, your iseries serer might challenge the other system for a user and password. It does this eery 15 minutes to ensure that `it is the same connection profile. (The end-user will not be aware of this rechallenge actiity. The systems exchange names and passwords below the leel that the end-user sees.) With PPP, it is realistic to expect that remote LANs might establish a dial-in connection to your iseries serer and to your extended network. In this enironment, haing IP forwarding turned on is probably a requirement. IP forwarding has the potential to allow an intruder to roam through your network. Howeer, PPP has stronger protections (such as encryption of passwords and IP address alidation). This makes it less likely that an intruder can establish a network connection in the first place. For more information about PPP, see the iseries Information Center.. Security considerations for using Bootstrap Protocol serer Bootstrap Protocol (BOOTP) proides a dynamic method for associating workstations with serers and assigning workstation IP addresses and initial program load (IPL) sources. BOOTP and triial file transfer protocol (TFTP) together proide support for the IBM NetVista thin client. BOOTP is a TCP/IP protocol used to allow a media-less workstation (client) to request a file containing initial code from a serer on the network. The BOOTP serer listens on the well known BOOTP serer port 67. When a client request is receied, the serer looks up the IP address defined for the client and returns a reply to the client with the client s IP address and the name of the load file. The client then initiates a TFTP request to the serer for the load file. The mapping between the client hardware address and IP address is kept in the BOOTP table on the iseries serer. Preent BOOTP Access If you do not hae any thin clients attached to your network, you do not need to run the BOOTP serer on your system. It can be used for other deices, but the preferred solution for those deices is to use DHCP. Do the following to preent the BOOTP serer from running: Step 1. To preent BOOTP serer jobs from starting automatically when you start TCP/IP, type the following: CHGBPA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. 130 Tips and tools for securing your iseries serer V5R2

Step 2. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for BOOTP, do the following: Note: Because DHCP and BOOTP use the same port number, this will also inhibit the port that is used by DHCP. Do not restrict the port if you want to use DHCP. Step a. Type GO CFGTCP to display the Configure TCP/IP menu. Step b. Select option 4 (Work with TCP/IP port restrictions). Step c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). Step d. For the lower port range, specify 67. Step e. For the upper port range, specify *ONLY. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. Step f. For the protocol, specify *UCD. Step g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Secure the BOOTP serer The BOOTP serer does not proide direct access to your iseries system, and thus represents a limited security exposure. Your primary concern as a security administrator is to ensure that the correct information is associated with the correct thin client. In other words, a mischief-maker could alter the BOOTP table and cause your thin clients to work incorrectly or not at all. To administer the BOOTP serer and the BOOTP table, you must hae *IOSYSCFG special authority. You need to carefully control the user profiles that hae *IOSYSCFG special authority on your system. The IBM Network Station Manager for AS/400 book describes the procedures for working with the BOOTP table. Security considerations for using DHCP serer Dynamic host configuration protocol (DHCP) proides a framework for passing configuration information to hosts on a TCP/IP network. For your client workstations, DHCP can proide a function similar to auto configuration. A DHCP-enabled program on the client workstation broadcasts a request for configuration information. If the DHCP serer is running on your iseries serer, the serer responds to the request by sending the information that the client workstation needs to correctly configure TCP/IP. You can use DHCP to make it simpler for users to connect to your iseries serer for the first time. This is because the user does not need to enter TCP/IP configuration information. You can also use DHCP to reduce the number of Chapter 14. Secure TCP/IP communications 131

internal TCP/IP addresses that you need in a subnetwork. The DHCP serer can temporarily allocate IP addresses to actie users (from its pool of IP addresses). For thin clients, you can use DHCP in place of BOOTP. DHCP proides more function than BOOTP, and it can support dynamic configuration of both thin clients and PCs. Preent DHCP access If you do not want anyone to use the DHCP serer on your system, do the following: 1. To preent DHCP serer jobs from starting automatically when you start TCP/IP, type the following: CHGDHCPA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. 2. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for DHCP, do the following: a. Type GO CFGTCP to display the Configure TCP/IP menu. b. Select option 4 (Work with TCP/IP port restrictions). c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). d. For the lower port range, specify 67. e. For the upper port range, specify 68. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. f. For the protocol, specify *UDP. g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Secure the DHCP serer Following are security considerations when you choose to run DHCP on your iseries system: Restrict the number of users who hae authority to administer DHCP. Administering DHCP requires the following authority: *IOSYSCFG special authority *RW authority to the following files: /QIBM/UserData/OS400/DHCP/dhcpsd.cfg /QIBM/UserData/OS400/DHCP/dhcprd.cfg 132 Tips and tools for securing your iseries serer V5R2 Ealuate how physically accessible your LAN is. Could an outsider easily walk into your location with a laptop and physically connect it to your LAN? If this is an exposure, DHCP proides the capability to create a list of clients (hardware

addresses) that the DHCP serer will configure. When you use this feature, you remoe some of the productiity benefit that DHCP proides to your network administrators. Howeer, you preent the system from configuring unknown workstations. If possible, use a pool of IP addresses that is reusable (not architected for the Internet). This helps preent a workstation from outside your network from gaining usable configuration information from the serer. Use the DHCP exit points if you need additional security protection. Following is an oeriew of the exit points and their capabilities. The iseries System API Reference describes how to use these exit points. Port entry The system calls your exit program wheneer it reads a data packet from port 67 (the DHCP port). Your exit program receies the full data packet. It can decide whether the system should process or discard the packet. You can use this exit point when existing DHCP screening features are not sufficient for your needs. Address assignment The system calls your exit program wheneer DHCP formally assigns an address to a client. Address release The system calls your exit program wheneer DHCP formally releases an address and places it back in the address pool. Security considerations for using TFTP serer Triial file transfer protocol (TFTP) proides basic file transfer with no user authentication. TFTP works with either Bootstrap Protocol (BOOTP) or Dynamic Host Configuration Protocol (DHCP) to proide support for the IBM NetVista thin client. The IBM NetVista thin client connects initially to either the BOOTP serer or the DHCP serer. The BOOTP serer or the DHCP serer replies with the client s IP address and the name of the load file. The client then initiates a TFTP request to the serer for the load file. When the client completes downloading of the load file, it ends the TFTP session. Preent TFTP access If you do not hae any thin clients attached to your network, you probably do not need to run the TFTP serer on your system. Do the following to preent the TFTP serer from running: Step 1. Step 2. To preent TFTP serer jobs from starting automatically when you start TCP/IP, type the following: CHGTFTPA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for TFTP, do the following: Chapter 14. Secure TCP/IP communications 133

Step a. Type GO CFGTCP to display the Configure TCP/IP menu. Step b. Select option 4 (Work with TCP/IP port restrictions). Step c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). Step d. For the lower port range, specify 69. Step e. For the upper port range, specify *ONLY. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. Step f. For the protocol, specify *UCD. Step g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Secure the TFTP serer By default, the TFTP serer proides ery limited access to your iseries system. It is specifically configured to proide the initial code for thin clients. As a security administrator, you should be aware of the following characteristics of the TFTP serer: The TFTP serer does not require authentication (a user ID and password). All TFTP jobs run under the QTFTP user profile. The QTFTP user profile does not hae a password. Therefore, it is not aailable for interactie sign-on. The QTFTP user profile does not hae any special authorities, nor is it explicitly authorized to system resources. It uses public authority to access the resources that it needs for the thin clients. When the TFTP serer arries, it is configured to access the directory that contains thin client information. You must hae *PUBLIC or QTFTP authorized to read or write to that directory. To write to the directory you must hae *CREATE specified on the Allow file writes parameter of the CHGTFTPA command. To write to an existing file you must hae the *REPLACE specified on the Allow file writes parameter of CHGTFTPA. *CREATE allows you to replace existing files or create new files. *REPLACE only allows you to replace existing files. A TFTP client cannot access any other directory unless you explicitly define the directory with the Change TFTP Attributes (CHGTFTPA) command. Therefore, if a local or remote user does attempt to start a TFTP session to your system, the user s ability to access information or cause damage is extremely limited. If you choose to configure your TFTP serer to proide other serices in addition to handling thin clients, you can define an exit program to ealuate and authorize eery TFTP request. The TFTP serer proides a request alidation exit similar to the exit that is aailable for the FTP serer. For more information, see the iseries Information Center >Networking >TCP/IP >TFTP. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. 134 Tips and tools for securing your iseries serer V5R2

Security considerations for using REXEC serer The Remote EXECution serer (REXEC) receies and runs commands from an REXEC client. A REXEC client is typically a PC or UNIX application that supports sending REXEC commands. The support that this serer proides is similar to the capability that is aailable when you use the RCMD (Remote Command) sub-command for the FTP serer. Preent REXEC access If you do not want your iseries serer to accept commands from an REXEC client, do the following to preent the REXEC serer from running: Step 1. Step 2. To preent REXEC serer jobs from starting automatically when you start TCP/IP, type the following: CHGRXCA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for REXEC, do the following: Step a. Type GO CFGTCP to display the Configure TCP/IP menu. Step b. Select option 4 (Work with TCP/IP port restrictions). Step c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). Step d. For the lower port range, specify 512. Step e. For the upper port range, specify *ONLY. Step f. For the protocol, specify *TCP. Step g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Notes: a. The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. b. RFC1700 proides information about common port number assignments. Secure the REXEC serer Following are considerations when you choose to run the Remote EXECution serer on your system: An REXCD request includes a user ID, a password, and the command to run. Normal iseries serer authentication and authority checking applies: The user profile and password combination must be alid. The system enforces the Limit capabilities (LMTCPB) alue for the user profile. Chapter 14. Secure TCP/IP communications 135

The user must be authorized to the command and to all of the resources that the command uses. The REXEC serer proides exit points similar to the exit points that are aailable for the FTP serer. You can use the Validation exit point to ealuate the command and decide whether to allow it. For more information, see the iseries Information Center >Networking >TCP/IP >REXEC. See Prerequisite and related information on page xii for information on accessing the iseries Information Center. When you choose to run the REXEC serer, you are running outside any menu access control that you hae on your system. You must ensure that your object authority scheme is adequate to protect your resources. Security considerations for using RouteD The Route Daemon (RouteD) serer proides support for the Routing Information Protocol (RIP) on iseries serers. RIP is the most widely used of routing protocols. It is an Interior Gateway Protocol that assists TCP/IP in the routing of IP packets within an autonomous system. RouteD is intended to increase the efficiency of network traffic by allowing systems within a trusted network to update each other with current route information. When you run RouteD, your system can receie updates from other participating systems about how transmissions (packets) should be routed. Therefore, if your RouteD serer is accessible to a hacker, the hacker might use it to reroute your packets through a system that can sniff or modify those packets. Following are suggestions for RouteD security: iseries serers use RIP1, which does not proide any method for authenticating routers. It is intended for use within a trusted network. If your system is in a network with other systems that you do not trust, you should not run the RouteD serer. To ensure that the RouteD serer does not start automatically, type the following: CHGRTDA AUTOSTART(*NO) Notes: 1. AUTOSTART(*NO) is the default alue. 2. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. Make sure that you control who can change the RouteD configuration, which requires *IOSYSCFG special authority. If your system participates in more than one network (for example, an intranet and the Internet), you can configure the RouteD serer to send and accept updates only with the secure network. Security considerations for using DNS serer The Domain Name System (DNS) serer proides translation of host name to IP addresses and ice ersa. On iseries serers, the DNS serer is intended to proide address translation for the internal, secure network (intranet). Preent DNS access If you do not want anyone to use the DNS serer on your system, do the following: 1. To preent DNS serer jobs from starting automatically when you start TCP/IP, type the following: 136 Tips and tools for securing your iseries serer V5R2

CHGDNSA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. 2. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for DNS, do the following: a. Type GO CFGTCP to display the Configure TCP/IP menu. b. Select option 4 (Work with TCP/IP port restrictions). c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). d. For the lower port range, specify 53. e. For the upper port range, specify *ONLY. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. f. For the protocol, specify *TCP. g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. h. Repeat steps 2c through 2g for the *UDP (User datagram) protocol. Secure the DNS serer Following are security considerations when you choose to run DNS on your iseries system: The function that the DNS serer proides is IP address translation and name translation. It does not proide any access to objects on your iseries system. Your risk when an outsider accesses your DNS serer is that the serer proides an easy way to iew the topology of your network. Your DNS might sae a hacker some effort in determining the addresses of potential targets. Howeer, your DNS does not proide information that will help to break into those target systems. Typically, you use the iseries DNS serer for your intranet. Therefore, you probably do not hae a need to restrict the ability to query the DNS. Howeer, you might, for example, hae seeral subnetworks within your intranet. You might not want users from a different subnetwork to be able to query the DNS on your iseries serer. A security option of DNS lets you limit access to a primary domain. Use iseries Naigator to specify IP addresses to which the DNS serer should respond. Another security option lets you specify which secondary serers can copy information from your primary DNS serer. When you use this option, your serer will accept zone transfer requests (a request to copy information) only from the secondary serers that you explicitly list. Be sure to carefully restrict the ability to change the configuration file for your DNS serer. Someone with malicious intent could, for example, change your Chapter 14. Secure TCP/IP communications 137

DNS file to point to an IP address outside your network. They could simulate a serer in your network and, perhaps, gain access to confidential information from users that isit the serer. Security considerations for using HTTP serer for iseries The HTTP serer proides World Wide Web browser clients with access to iseries serer multimedia objects, such as HTML (Hypertext Markup Language) documents. It also supports the Common Gateway Interface (CGI) specification. Application programmers can write CGI programs to extend the functionality of the serer. The administrator can use Internet Connection Serer or IBM HTTP serer for iseries to run multiple serers concurrently on the same iseries serer. Each serer that is running is called a serer instance. Each serer instance has a unique name. The administrator controls which instances are started and what each instance can do. Note: You must hae the *ADMIN instance of the HTTP serer running when you use a Web browser to configure or administer any of the following: Firewall for iseries Network Station Internet Connection Serer Internet Connection Secure Serer IBM HTTP Serer for AS/400 A user (Web site isitor) neer sees an iseries serer Sign On display. Howeer, the iseries serer administrator must explicitly authorize all HTML documents and CGI programs by defining them in HTTP directies. In addition, the administrator can set up both resource security and user authentication (user ID and password) for some or all requests. An attack by a hacker could result in a denial of serice to your Web serer. Your serer can detect a denial-of-serice attack by measuring the time-out of certain clients requests. If the serer does not receie a request from the client, then your serer determines that a denial-of-serice attack is in progress. This occurs after making the initial client connection to your serer. The serer s default is to perform attack detection and penalization. Preent HTTP access If you do not want anyone to use the program to access your system, you should preent the HTTP serer from running. Do the following: Step 1. To preent HTTP serer jobs from starting automatically when you start TCP/IP, type the following: CHGHTTPA AUTOSTART(*NO) Notes: a. AUTOSTART(*NO) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. 138 Tips and tools for securing your iseries serer V5R2

Step 2. By default, the HTTP serer job uses the QTMHHTTP user profile. To preent the HTTP serer from starting, set the status of the QTMHHTTP user profile to *DISABLED. Control access to the HTTP serer The primary purpose of running an HTTP serer is to proide access for isitors to a Web site on your iseries system. You might think of someone who isits your Web site as you would think of someone who iews an adertisement in a trade journal. The isitor is not aware of the hardware and software running your Web site, such as the type of serer you are using, and where your serer is physically located. Usually, you do not want to put any barrier (such as a Sign On display) between a potential isitor and your Web site. Howeer, you might want to restrict access to some of the documents or CGI programs that your Web site proides. You might also want a single iseries system to proide multiple logical Web sites. For example, your iseries system might support different branches of your business that hae different customer sets. For each of these branches of the business, you want a unique Web site that appears totally independent to the isitor. Additionally, you might want to proide internal Web sites (an intranet) with confidential information about your business. As a security administrator, you need to protect the contents of your Web site while, at the same time, you need to ensure that your security practices do not negatiely affect the alue of your Web site. In addition, you need to ensure that HTTP actiity does not jeopardize the integrity of your system or your network. The topics that follow proide security suggestions when you use the program. Administration considerations Following are some security considerations for administering your Internet serer. You perform setup and configuration functions by using a Web browser and the *ADMIN instance. For some functions, such as creating additional instances on the serer, you must use the *ADMIN serer. The default URL for the administration home page (the home page for the *ADMIN serer) is published in the documentation for products that proide browser administration functions. Therefore, the default URL will probably be known by hackers and published in hacker forums, just like the default passwords for IBM-supplied user profiles are known and published. You can protect yourself from this exposure in seeral ways: Only run the *ADMIN instance of the HTTP serer when you need to perform administratie functions. Do not hae the *ADMIN instance running all the time. Actiate SSL support for the *ADMIN instance (by using Digital Certificate Manager). The *ADMIN instance uses HTTP protection directies to require a user ID and password. When you use SSL, your user ID and password are encrypted (along with all the other information about your configuration that appears on the administration forms). Use a firewall both to preent access to the *ADMIN serer from the Internet and to hide your system and domain names, which are part of the URL. When you perform administration functions, you must sign on with a user profile that has *IOSYSCFG special authority. You might also need authority to specific objects on the system, such as the following: The libraries or directories that contain your HTML documents and CGI programs. Chapter 14. Secure TCP/IP communications 139

Any user profiles that you plan to swap to within the directies for the serer. The Access Control Lists (ACLs) for any directories that your directies use. A alidation list object for creating and maintaining user IDs and passwords. With both the *ADMIN serer and TELNET, you hae the capability to perform administration functions remotely, perhaps oer an Internet connection. Be aware that if you perform administration oer a public link (the Internet), you might be exposing a powerful user ID and password to sniffing. The sniffer can then use this user ID and password to attempt to access your system using, for example, TELNET or FTP. Notes: 1. With TELNET, the Sign On display is treated like any other display. Although the password does not display when you type it, the system transmits it without any encryption or encoding. 2. With the *ADMIN serer, the password is encoded not encrypted. The encoding scheme is an industry standard, and thus commonly known among the hacker community. Although the encoding is not easily understood by the casual sniffer, a sophisticated sniffer probably has tools to attempt to decode the password. Security tip If you plan to perform remote administration oer the Internet, you should use the *ADMIN instance with SSL, so that your transmissions are encrypted. Do not use an insecure application, such as a pre-v4r4 ersion of TELNET (TELNET supports SSL beginning with V4R4). If you are using the *ADMIN serer across an intranet of trusted users, you can probably safely use this for administration. The HTTP directies proide the foundation for all actiity on your serer. The shipped configuration proides the capability to sere a default Welcome page. A client cannot iew any documents except the Welcome page until the serer administrator defines directies for the serer. To define directies, use a Web browser and the *ADMIN serer or the Work with HTTP Configuration (WRKHTTPCFG) command. Both methods require *IOSYSCFG special authority. When you connect your iseries serer to the Internet, it becomes een more critical to ealuate and control the number of users in your organization who hae *IOSYSCFG special authority. Protect resources The IBM HTTP serer for iseries includes HTTP directies that can proide detailed control of the information assets that the serer uses. You can use directies to control from which directories the Web serer seres URLs for both HTML files and CGI programs, to swap to other user profiles, and to require authentication for some resources. Note: The documentation under Web sering in the Information Center proides complete descriptions of the aailable HTTP directies and how to use them. Following are some suggestions and considerations for using this support: The HTTP serer starts from the basis of explicit authority. The serer does not accept a request unless that request is explicitly defined in the directies. In 140 Tips and tools for securing your iseries serer V5R2

other words, the serer immediately rejects any request for a URL unless that URL is defined in the directies (either by name or generically). You can use protection directies to require a user ID and password before accepting a request for some or all of your resources. When a user (client) requests a protected resource, the serer challenges the browser for a user ID and password. The browser prompts the user to enter a user ID and password, and then sends the information to the serer. Some browsers store the user ID and password and send them automatically with subsequent requests. This frees the user from repeatedly entering the same user ID and password on each request. Because some browsers store the user ID and password, you hae the same user education task that you hae when users enter your system through the iseries serer Sign On display or through a router. An unattended browser session represents a potential security exposure. You hae three options for how the system handles user IDs and passwords (specified in the protection directies): 1. You can use normal iseries serer user profile and password alidation. This is most commonly used to protect resources in an intranet (secure network). 2. You can create Internet users : users that can be alidated but do not hae a user profile on the iseries serer. Internet users are implemented through an iseries serer object called a alidation list. Validation list objects contain lists of users and passwords that are specifically defined for use with a particular application. You decide how Internet user IDs and passwords are supplied (such as by an application, or by an administrator in response to an e-mail request), as well as how to manage Internet users. Use the HTTP serer s browser-based interface to set this up. For nonsecure networks (the Internet), using Internet users proides better oerall protection than using normal user profiles and passwords. The unique set of user IDs and passwords creates a built-in limitation on what those users can do. The user IDs and passwords are not aailable for normal sign-on (such as with TELNET or FTP). In addition, you are not exposing normal user IDs and passwords to sniffing. 3. Lightweight directory access protocol (LDAP) is a directory serice protocol that proides access to a directory oer a Transmission Control Protocol (TCP). It lets you store information in that directory serice and query it. LDAP is now supported as a choice for user authentication. Notes: 1. When the browser sends the user ID and the password (whether for an user profile or an Internet user), they are encoded, not encrypted. The encoding scheme is an industry standard, and thus commonly known among the hacker community. Although the encoding is not easily understood by the casual sniffer, a sophisticated sniffer probably has tools to attempt to decode them. 2. The iseries serer stores the alidation object in a protected system area. You can access it only with defined system interfaces (APIs) and proper authorization. You can use Digital Certificate Manager (DCM) to create your own intranet Certificate Authority. Digital Certificate automatically associates a certificate with the owner s user profile. The certificate has the same authorizations and permissions as the associated profile. Chapter 14. Secure TCP/IP communications 141

When the serer accepts a request, normal iseries serer resource security takes oer. The user profile that requests the resource must hae authority to the resource (such as the folder or source physical file that contains the HTML document). By default, jobs run under the QTMHHTTP user profile. You can use a directie to swap to a different user profile. The system then uses that user profile s authority to access objects. Following are some considerations for this support: Swapping user profiles can be particularly useful when your serer proides more than one logical Web site. You can associate a different user profile with the directies for each Web site, and thus use normal iseries serer resource security to protect the documents for each site. You can use the ability to swap user profiles in combination with the alidation object. The serer uses a unique user ID and password (separate from your normal user ID and password) to ealuate the initial request. After the serer has authenticated the user, the system then swaps to a different user profile and thus takes adantage of resource security. The user is, thus, not aware of the true user profile name and cannot attempt to use it in other ways (such as FTP). Some HTTP serer requests need to run a program on the HTTP serer. For example, a program might access data on your system. Before the program can run, the serer administrator must map the request (URL) to a specific user-defined program that conforms to CGI user-interface standards. Following are some considerations for CGI programs: You can use the protection directies for CGI programs just as you do for HTML documents. Thus, you can require a user ID and password before running the program. By default, CGI programs run under the QTMHHTP1 user profile. You can swap to a different user profile before running the program. Therefore, you can set up normal iseries serer resource security for the resources that your CGI programs access. As security administrator, you should perform a security reiew before authorizing the use of any CGI program on your system. You should know where the program came from and what functions the CGI program performs. You should also monitor the capabilities of the user profiles under which you run CGI programs. You should also perform testing with CGI programs to determine, for example, whether you can gain access to a command line. Treat CGI programs with the same igilance that you treat programs that adopt authority. In addition, be sure to ealuate what sensitie objects might hae inappropriate public authority. A poorly designed CGI program might, in rare cases, allow a knowledgeable, deious user to attempt to roam your system. Use a specific user library, such as CGILIB, to hold all your CGI programs. Use object authority to control both who can place new objects in this library and who can run programs in this library. Use the directies to limit the HTTP serer to running CGI programs that are in this library. Note: If your serer proides multiple logical Web sites, you might want to set up a separate library for the CGI programs for each site. Other security considerations Following are additional security considerations: HTTP proides read-only access to your iseries system. HTTP serer requests cannot update or delete data on your system directly. Howeer, you might hae CGI programs that update data. Additionally, you can enable the Net.Data CGI 142 Tips and tools for securing your iseries serer V5R2

program to access your iseries serer database. The system uses a script (which is similar to an exit program) to ealuate requests to the Net.Data program. Therefore, the system administrator can control what actions the Net.Data program can take. The HTTP serer proides an access log that you can use to monitor both accesses and attempted accesses through the serer. The HTTP Serer for iseries Webmaster s Guide proides more information about security considerations. Security considerations for using SSL with IBM HTTP Serer for iseries IBM HTTP Serer for iseries can proide secure Web connections to your iseries serer. A secure web site means that transmissions between the client and the serer (in both directions) are encrypted. These encrypted transmissions are safe both from the scrutiny of sniffers and from those who attempt either to capture or to alter the transmissions. Note: Keep in mind that a secure Web site applies strictly to the security of the information that passes between client and serer. The intent of this is not to reduce your serer s ulnerability to hackers. Howeer, it certainly limits the information that a would-be hacker can obtain easily through sniffing. The topics on SSL and Websering (HTTP) in the information center proides complete information for installing, configuring, and managing the encryption process. These topics proide both an oeriew of the serer features and some considerations for using the serer. Internet Connection Serer proides HTTP and HTTPS support when one of the following licensed programs is installed: 5722 NC1 5722 NCE When these options are installed, the product is referred to as the Internet Connection Secure Serer. IBM HTTP Serer for iseries (5722 DG1) proides both http and https support. You must install one of the following cryptographic products to enable SSL: 5722 AC2 5722 AC3 Security that depends on encryption has seeral requirements: Both the sender and receier (serer and client) must understand the encryption mechanism and be able to perform encryption and decryption. The HTTP serer requires an SSL-enabled client. (Most popular Web browsers are SSL-enabled.) The iseries encryption licensed programs support seeral industry-standard encryption methods. When a client attempts to establish a secure session, the serer and client negotiate to find the most secure encryption method that both of them support. The transmission must not be able to be decrypted by an eaesdropper. Thus, encryption methods require both parties to hae an encryption/decryption priate key that only they know. If you want to hae a secure external Web site, you should use an independent certificate authority (CA) to create and issue digital certificates to users and serers. The certificate authority is known as a trusted party. Chapter 14. Secure TCP/IP communications 143

Encryption protects the confidentiality of transmitted information. Howeer, for sensitie information, such as financial information, you want integrity and authenticity in addition to confidentiality. In other words, the client and (optionally) the serer must trust the party on the other end (through an independent reference) and they must be sure that the transmission has not been altered. The digital signature that is proided by a certification authority (CA) proides these assurances of authenticity and integrity. The SSL protocol proides authentication by erifying the digital signature of the serer s certificate (and optionally the client s certificate). Encryption and decryption require processing time and will affect the performance of your transmissions. Therefore, iseries serers proide the capability to run both the programs for secure and insecure sering at the same time. You can use the insecure HTTP serer to sere documents that do not require security, such as your product catalog. These documents will hae a URL that starts with http://. You can use a secure HTTP serer for sensitie information such as the form where the customer enters credit card information. The program can sere documents whose URL starts either with http:// or with https://. Reminder It is good Internet etiquette to inform your clients when transmissions are secure and not secure, particularly when your Web site only uses a secure serer for some documents. Keep in mind that encryption requires both a secure client and a secure serer. Secure browsers (HTTP clients) hae become fairly common. Security considerations for LDAP Lightweight Directory Access Protocol (LDAP) security features include Secure Sockets Layer (SSL), Acess Control Lists, and CRAM-MD5 password encryption. In V5R1, Kerberos connections and Security auditing support were added to enhance LDAP security. For more information on these topics, refer to the iseries Information Center >Networking >TCP/IP >Directory Serices (LDAP). See Prerequisite and related information on page xii for information on accessing the iseries Information Center. Security considerations for LPD LPD (line printer daemon) proides the capability to distribute printer output to your system. The system does not perform any sign-on processing for LPD. Preent LPD access If you do not want anyone to use LPD to access your system, you should preent the LPD serer from running. Do the following: Step 1. To preent LPD serer jobs from starting automatically when you start TCP/IP, type the following: CHGLPDA AUTOSTART(*NO) Notes: a. AUTOSTART(*YES) is the default alue. 144 Tips and tools for securing your iseries serer V5R2

Step 2. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for LPD, do the following: Step a. Type GO CFGTCP to display the Configure TCP/IP menu. Step b. Select option 4 (Work with TCP/IP port restrictions). Step c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). Step d. For the lower port range, specify 515. Step e. For the upper port range, specify *ONLY. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. Step f. For the protocol, specify *TCP. Step g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Step h. Repeat steps 2c through 2g for the *UDP protocol. Control LPD access If you want to allow LPD clients to access your system, be aware of the following security issues: To preent a user from swamping your system with unwanted objects, be sure that you hae set adequate threshold limits for your auxiliary storage pools (ASPs). You can display and set the thresholds for ASPs by using either system serice tools (SST) or dedicated serice tools (DST). The Backup and Recoery book proides more information about ASP thresholds. You can use the authority to output queues to restrict who can send spooled files to your system. LPD users without a user ID use the QTMPLPD user profile. You can gie this user profile access to only a few output queues. Security considerations for SNMP The iseries serer can act as a simple network management protocol (SNMP) agent in a network. SNMP proides a means for managing the gateways, routers, and hosts in a network enironment. An SNMP agent gathers information about the system and performs functions that remote SNMP network managers request. Preent SNMP access If you do not want anyone to use SNMP to access your system, you should preent the SNMP serer from running. Do the following: Step 1. To preent SNMP serer jobs from starting automatically when you start TCP/IP, type the following: Chapter 14. Secure TCP/IP communications 145

CHGSNMPA AUTOSTART(*NO) Step 2. Notes: a. AUTOSTART(*YES) is the default alue. b. Control which TCP/IP serers start automatically on page 124 proides more information about controlling which TCP/IP serers start automatically. To preent someone from associating a user application, such as a socket application, with the port that the system normally uses for SNMP, do the following: Step a. Type GO CFGTCP to display the Configure TCP/IP menu. Step b. Select option 4 (Work with TCP/IP port restrictions). Step c. On the Work with TCP/IP Port Restrictions display, specify option 1 (Add). Step d. For the lower port range, specify 161. Step e. For the upper port range, specify *ONLY. Notes: 1) The port restriction takes effect the next time that you start TCP/IP. If TCP/IP is actie when you set the port restrictions, you should end TCP/IP and start it again. 2) RFC1700 proides information about common port number assignments. Step f. For the protocol, specify *TCP. Step g. For the user profile field, specify a user profile name that is protected on your system. (A protected user profile is a user profile that does not own programs that adopt authority and does not hae a password that is known by other users.) By restricting the port to a specific user, you automatically exclude all other users. Step h. Repeat steps 2c through 2g for the *UDP protocol. Control SNMP access If you want to allow SNMP managers to access your system, be aware of the following security issues: Someone who can access your network with SNMP can gather information about your network. Information that you hae hidden by using aliases and a domain-name serer becomes aailable to the would-be intruder through SNMP. Additionally, an intruder might use SNMP to alter your network configuration and disrupt your communications. SNMP relies on a community name for access. Conceptually, the community name is similar to a password. The community name is not encrypted. Therefore, it is ulnerable to sniffing. Use the Add Community for SNMP (ADDCOMSNMP) command to set the manager internet address (INTNETADR) parameter to one or more specific IP addresses instead of *ANY. You can also set the OBJACC parameter of the ADDCOMSNMP or CHGCOMSNMP commands to *NONE to preent the managers in a community from accessing any MIB objects. This is intended to just be done temporarily to deny access to managers in a community without remoing the community. 146 Tips and tools for securing your iseries serer V5R2

Security considerations for INETD serer Unlike most TCP/IP serers, the INETD serer does not proide one single serice to clients. Instead, it proides a ariety of miscellaneous serices that administrators can customize. For that reason, the INETD serer is sometimes called the super serer. The INETD serer has the following built-in serices: time daytime echo discard changed These serices are supported for both TCP and UDP. For UDP, the echo, time, daytime, and changed serices receie UDP packets, then send the packets back to the originator. The echo serer echoes back packets that it receies, the time and daytime serers generate the time in a specific format and sends it back, and the changed serer generates a packet of printable ASCII characters and sends it back. The nature of these UDP serices makes a system ulnerable to a denial of serice attack. For example, assume that you hae two iseries serers: SYSTEMA and SYSTEMB. A malicious programmer could forge the IP header and the UDP header with a source address of SYSTEMA and a UDP port number of the time serer. He can then send that packet to the time serer on SYSTEMB, which will send the time to SYSTEMA, which will respond back to SYSTEMB, and so on, generating a continuous loop and consuming CPU resources on both systems, as well as network bandwidth. Therefore, you should consider the risk of such an attack on your iseries system, and only run these serices on a secure network. The INETD serer is shipped to not be auto started when you start TCP/IP. You can configure whether or not to start the serices when INETD is started. By default, the TCP and UDP time serers and daytime serers are both started when you start the INETD serer. There are two configuration files for the INETD serer: /QIBM/UserData/OS400/inetd/inetd.conf /QIBM/ProdData/OS400/inetd/inetd.conf These files determine what programs start when the INETD serer starts. They also determine what user profile these programs are running under when INETD starts them. Note: The configuration file in proddata should neer be modified. It is replaced each time the system is reloaded. Customer configuration changes should only be placed in the file, in the userdata directory tree, as this file in not updated during release upgrades. If a malicious programmer got access to these files, she could configure them to start any program when INETD started. Therefore it is ery important to protect these files. By default they require QSECOFR authority to make changes. You should not reduce the authority required to access them. Note: Do not modify the configuration file in the ProdData directory. That file is replaced each time that the system is reloaded. Customer configuration changes should only be placed in the file in the UserData directory tree, as that file is not updated during release upgrades. Chapter 14. Secure TCP/IP communications 147

Security considerations for limiting TCP/IP roaming If your system is connected to a network, you may want to limit your users ability to roam the network with TCP/IP applications. One way to do this is to restrict access to the following client TCP/IP commands: Note: These commands might exist in seeral libraries on your system. They are in both the QSYS library and the QTCP library, at a minimum. Be sure to locate and secure all occurrences. STRTCPFTP FTP STRTCPTELN TELNET LPR SNDTCPSPLF RUNRMTCMD (REXEC client) Your users possible destinations are determined by the following: Entries in your TCP/IP host table. *DFTROUTE entry in the TCP/IP route table. This allows users to enter the IP address of the next-hop system when their destination is an unknown network. A user can reach or contact a remote network by using the default route. Remote name serer configuration. This support allows another serer in the network to locate host names for your users. Remote system table. You need to control who can add entries to these tables and change your configuration. You also need to understand the implications of your table entries and your configuration. Be aware that a knowledgeable user with access to an ILE C compiler can create a socket program that can attach to a TCP or UDP port. You can make this more difficult by restricting access to the following sockets interface files in the QSYSINC library: SYS NETINET H ARPA sockets and SSL For serice programs, you can restrict use of socket and SSL applications that are already compiled by restricting use of these serice programs: QSOSRV1 QSOSRV2 QSOSKIT(SSL) QSOSSLSR(SSL) The serice programs are shipped with public authority *USE, but the authority can be changed to *EXCLUDE (or another alue as needed). 148 Tips and tools for securing your iseries serer V5R2

Chapter 15. Secure workstation access Preent workstation iruses Many of your system users hae personal computers (PCs) on their desks as their workstations. They use tools that run on the PC, and they use the PC to connect to iseries serer. Most methods of connecting a PC to iseries serers proide more function than workstation emulation. The PC may look like a display to iseries and proide the user with interactie sign-on sessions. In addition, the PC may look to iseries serers like another computer and proide functions such as file transfer and remote procedure call. As an iseries serer security administrator, you need to be aware of the following: Functions that are aailable to PC users who are connected to your system iseries serer resources that PC users can access. You may want to preent adanced PC functions (such as file transfer and remote procedure call) if your iseries serer security scheme is not yet prepared for those functions. Probably, your long-range goal is to allow adanced PC functions while you still protect the information on your system. The topics that follow discuss some of the security issues that are associated with PC access. This information suggests ways that security administrators can safeguard against PC iruses. Secure workstation data access Some PC client software uses shared folders to store information on the serer. To access iseries database files, the PC user has a limited, well-defined set of interfaces. With the file transfer capability that is part of most client/serer software, the PC user can copy files between the serer and the PC. With database access capability; such as a DDM file, remote SQL, or an ODBC drier; the PC user can access data on the serer. In this enironment, you can create programs to intercept and ealuate PC-user requests to access serer resources. When the requests use a DDM file, you specify the exit program in the distributed data management access (DDMACC) network attribute. For some methods of PC file transfer, you specify the exit program in the client request access (PCSACC) network attribute. Or, you can specify PCSACC (*REGFAC) to use the registration function. When the requests use other serer functions to access data, you can use the WRKREGINF command to register exit programs for those serer functions. Exit programs, howeer, can be difficult to design, and they are rarely foolproof. Exit programs are not a replacement for object authority, which is designed to protect your objects from unauthorized access from any source. Some client software, such as IBM iseries Access for Windows, uses the integrated file system to store and access data on iseries serers. With the integrated file system, the entire serer becomes more easily aailable to PC users. Object Copyright IBM Corp. 1996, 2002 149

authority becomes een more essential. Through the integrated file system, a user with sufficient authority can iew a serer library as if it is a PC directory. Simple moe and copy commands can instantly moe data from an iseries serer library to a PC directory or ice ersa. The system automatically makes the appropriate changes to the format of the data. Notes: 1. You can use an authorization list to control the use of objects in the QSYS.LIB file system. See Restrict access to the QSYS.LIB file system on page 103 for more information. 2. Chapter 12, Use Integrated File System to secure files on page 97 proides more information about security issues with the integrated file system. The strength of the integrated file system is its simplicity for users and deelopers. With a single interface, the user can work with objects in multiple enironments. The PC user does not need special software or APIs to access objects. Instead, the PC user can use familiar PC commands or point and click to work with objects directly. For all systems that hae PCs attached, but particularly for systems that hae client software that uses the integrated file system, a good object authority scheme is critical. Because security is integrated into the OS/400 product, any request to access data must go through the authority checking process. Authority checking applies to requests from any source and to data access that uses any method. Object authority with workstation access When you set up authority for objects, you need to ealuate what that authority proides for the PC user. For example, when a user has *USE authority to a file, the user can iew or print data in the file. The user cannot change information in the file or delete the file. For the PC user, iewing is equialent to reading, which proides sufficient authority for the user to make a copy of a file on the PC. This may not be what you intend. For some critical files, you may need to set the public authority to *EXCLUDE to preent downloading. You can then proide another method to iew the file on the serer, such as using a menu and programs that adopt authority. Another option to preent downloading is to use an exit program that runs wheneer a PC user starts a serer function (other than interactie sign-on). You can specify an exit program in the PCSACC network attribute by using the Change Network Attribute (CHGNETA) command. Or, you can register exit programs by using the Work with Registration Information (WRKREGINF) command. The method that you use depends on how PCs are accessing data on your system and which client program the PCs use. The exit program (QIBM_QPWFS_FILE_SERV) applies to iseries Access and Net Serer access to IFS. It does not preent access from a PC with other mechanisms, such as FTP or ODBC. PC software typically proides upload capability also, so that a user can copy data from the PC to a serer database file. If you hae not set up your authority scheme correctly, a PC user might oerlay all of the data in a file with data from a PC. You need to assign *CHANGE authority carefully. Reiew Appendix D in the iseries Security Reference book to understand what authority is required for file operations. 150 Tips and tools for securing your iseries serer V5R2

The iseries Information Center proides more information about the authority for PC functions and about using exit programs. See Prerequisite and related information on page xii for details. Application Administration Application Administration is an optionally-installable component of iseries Naigator, the graphical user interface (GUI) for the iseries serer. Application Administration allows system administrators to control the functions or applications aailable to users and groups on a specific serer. This includes controlling the functions aailable to users that access their serer through clients. It is important to note here, that if you access the serer from a Windows client, the iseries serer user and not the Windows user determines which functions are aailable for administration. For complete documentation on iseries Naigator Application Administration, refer to the iseries Information Center >Connecting to iseries >What to connect with >iseries Naigator (../html/as400/5r2/ic2924/info/rzaj3/rzaj3oeriew.htm). Policy administration Policies are a tool for administrators to use as they configure software on their client PCs. Policies can restrict which functions and applications a user has access to on the PC. Policies can also suggest or mandate configurations to be used by certain users or certain PCs. Note: Polices do not offer control oer serer resources. Policies are not a substitute for serer security. Policies can be used to affect how iseries Access is able to access the serer from a particular PC, by a particular user. Howeer, they do not change how serer resources can be accessed ia other mechanisms. Policies are stored on a file serer. Each time the user signs on to their Windows workstation, the policies that apply to that Windows user are downloaded from the file serer. The policies are applied to the registry before the user does anything on the workstation. Microsoft policies ersus application administration iseries Access Express supports two different strategies for implementing administratie control within your network: Microsoft system policies and iseries Naigator Application Administration. Consider the following when deciding which strategy is best suited for your needs. Microsoft system policies Policies are PC drien, not dependent upon specific OS/400 releases. Policies can apply to PCs, as well as Windows users. This means that users refer to the Windows user profile, not the serer user profile. Policies can be used to configure as well as to restrict. Policies typically will offer more granularity than Application Administration, and can offer a larger breadth of function. This is because a connection to the serer is not needed to determine whether the user can use the function or not. Implementing policies is more complicated than implementing Application Administration because the use of the Microsoft system policy editor is required and PCs must be indiidually configured to download policies. Chapter 15. Secure workstation access 151

iseries Naigator application administration Application Administration associates data with the user profile, instead of the Windows profile that Microsoft system policies associate with. While iseries serers running V4R3 or later of the OS/400 product are required in order to use Application Administration, some functions are only aailable at V4R4 or later. Application Administration uses the graphical user interface of iseries Naigator to administer, which is much easier to use than policy editor. Application Administration info applies to the user regardless of which PC he signs on from. Particular functions within iseries Naigator can be restricted. Application Administration is preferable if all of the functions you want to restrict are Application Administration-enabled, and if the ersion of OS/400 being used supports Application Administration. Use SSL with iseries Access for Windows For information about using iseries Access Express with SSL, reiew the iseries Information Center topics Secure Sockets Layer Administration, Securing iseries Access Express and iseries Naigator, iseries Deeloper Kit for Jaa, and iseries Jaa Toolbox under the Jaa main topic. You may also reiew this information on the CD proided to you with your system. iseries Naigator security iseries Naigator proides an easy-to-use interface to your serer for users who hae iseries Access. With each new release of the OS/400 product, more serer function becomes aailable through iseries Naigator. An easy-to-use interface proides many benefits, including reduced technical support costs and an improed image for your system. It also presents security challenges. As a security administrator, you can no longer rely on the ignorance of your users to protect resources. iseries Naigator makes many functions easy and isible for your users. You need to ensure that you hae designed and implemented security policies for user profiles and for object security to meet your security needs. V4R4 and later ersions of iseries Access for Windows proide the following methods to control the functions that users can perform through iseries Naigator: Selectie install Application administration Windows NT system policy support iseries Naigator is packaged into multiple components that you can install separately. This allows you to install only the functions that you require. Application Administration allows an administrator to control the functions that a user or group can access through iseries Naigator. Application Administration organizes applications into the following categories: iseries Naigator Includes iseries Naigator and any plug-ins. Client applications Includes all other client applications, including iseries Access, that proide functions on clients that are administered through Application Administration. Host applications Includes all applications that reside entirely on your serer and proide functions that are administered through Application Administration. 152 Tips and tools for securing your iseries serer V5R2

Preent ODBC access You can use selectie install, application administration, and policies to limit the iseries Naigator functions that a user can access. None of these, howeer, should be used for resource security. Beginning in V4R4, iseries Access for Windows also supports using the Windows NT System Policy Editor to control what functions can be performed from a particular PC client, regardless of who is using that PC. See the iseries Information Center for additional information on selectie installation, Application Administration and Policy Administration. The Limit access to program function on page 9 section of this book also contains some discussion of application administration. Open database connectiity (ODBC) is a tool that PC applications can use to access iseries data as if the data is PC data. The ODBC programmer can make the physical location of the data transparent to the user of the PC application. For more information regarding ODBC security considerations, go to the iseries Access for Windows ODBC security information (/rzaii/rzaiiodbc09.htm), located in the iseries Information Center. Security considerations for workstation session passwords Typically, when a PC user starts the connection software, such as iseries Access, the user types the user ID and password for the serer once. The password is encrypted and stored in PC memory. Wheneer the user establishes a new session to the same serer, the PC sends the user ID and password automatically. Some client/serer software also proides the option of bypassing the Sign On display for interactie sessions. The software will send the user ID and encrypted password when the user starts an interactie (5250 emulation) session. To support this option, the QRMTSIGN system alue on the serer must be set to *VERIFY. When you choose to allow bypassing the Sign On display, you need to consider the security trade-offs. Security exposure: For 5250 emulation or any other type of interactie session, the Sign On display is the same as any other display. Although the password is not displayed on the screen when it is typed, the password is sent oer the link in unencrypted form just like any other data field. For some types of links, this may proide the opportunity for a would-be intruder to monitor the link and to detect a user ID and password. Monitoring a link by using electronic equipment is often referred to as sniffing. Beginning with V4R4, you can use secure sockets layer (SSL) to encrypt communication between iseries Access and the iseries serer. This protects your data, including passwords, from sniffing. When you choose the option to bypass the Sign On display, the PC encrypts the password before it is sent. Encryption aoids the possibility of haing a password stolen by sniffing. Howeer, you must ensure that your PC users practice operational security. An unattended PC with an actie session to the iseries system proides the opportunity for someone to start another session without knowing a user ID and password. PCs should be set up to lock when the system is inactie for an extended period, and they should require a password to resume the session. Chapter 15. Secure workstation access 153

Een if you do not choose to bypass the Sign On display, an unattended PC with an actie session represents a security exposure. By using PC software, someone can start a serer session and access data, again without knowing a user ID and a password. The exposure with 5250 emulation is somewhat greater because it requires less knowledge to start a session and begin accessing data. You also need to educate your users about the effect of disconnecting their iseries Access session. Many users assume (logically but incorrectly) that the disconnect option completely stops their connection to the serer. In fact, when a user selects the option to disconnect, the serer makes the user s session (license) aailable for another user. Howeer, the client s connection to the serer is still open. Another user could walk up to the unprotected PC and get access to serer resources without eer entering a user ID and password. You can suggest two options for your users who need to disconnect their sessions: Ensure that their PCs hae a lockup function that requires a password. This makes an unattended PC unaailable to anyone who does not know the password. To completely disconnect a session, either log off Windows or restart (reboot) the PC. This ends the session to the iseries. You also need to educate your users about a potential security exposure when they use iseries Access for Windows. When a user specifies a UNC (uniersal naming conention) to identify an iseries resource, the Win95 or NT client builds a network connection to link to the serer. Because the user specifies a UNC, the user does not see this as a mapped Network Drie. Often, the user is not een aware of the existence of the network connection. Howeer, this network connection represents a security exposure on an unattended PC because the serer appears in the directory tree on the PC. If the user s session has a powerful user profile, serer resources might be exposed on an unattended PC. As with the preious example, the remedy is to ensure both that users understand the exposure and that they use their PC s lockup function. Protect the serer from remote commands and procedures A knowledgeable PC user with software such as iseries Access can run commands on the serer without going through the Sign On display. The following are seeral methods that are aailable for PC users to run serer commands. Your client/serer software determines the methods that your PC users hae aailable to them. A user can open a DDM file and use the remote command function to run a command. Some software, such as iseries Access optimized clients, proides the remote command function through Distributed Program Call (DPC) APIs, without the use of DDM. Some software, such as remote SQL and ODBC, proides a remote command function without either DDM or DPC. For client/serer software that uses DDM for remote command support, you can use the DDMACC network attribute to preent remote commands completely. For client/serer software that uses other serer support, you can register exit programs for the serer. If you want to allow remote commands, you must make sure that your object authority scheme protects your data adequately. Remote command capability is equialent to giing a user a command line. In addition, 154 Tips and tools for securing your iseries serer V5R2

when iseries receies a remote command through DDM, the system does not enforce the user profiles Limited capability (LMTCPB) setting. Protect workstations from remote commands and procedures Gateway serers IBM iseries Access for Windows proides the capability of receiing remote commands on the PC. You can use the Run Remote Command (RUNRMTCMD) command on the serer to run a procedure on an attached PC. The RUNRMTCMD capability is a aluable tool for system administrators and help-desk personnel. Howeer, it also proides the opportunity for damaging PC data, either deliberately or accidentally. PCs do not hae the same object authority functions as iseries serers. Your best protection against problems with the RUNRMTCMD command is to carefully restrict the system users who hae access to the command. IBM iseries Access for Windows proides the capability to register which users can run remote commands on a specific PC. When the connection is ia TCP/IP, you can use the properties control panel on the client to control remote-command access. You can authorize users by user ID or by the remote system name. When the connection is ia SNA, some client software proides the capability to set up security for the conersation. With other client software, you simply choose whether or not to set up the incoming-command capability. For each combination of client software and connection type (such as TCP/IP or SNA), you need to reiew the potential for incoming-commands to attached PCs. Consult the client documentation by searching for incoming command or RUNRMTCMD. Be prepared to adise your PC users and network administrators about the correct (secure) way to configure clients to permit or preent this capability. Your system may participate in a network with an intermediate or gateway serer between the iseries system and the PCs. For example, your iseries system might be attached to a LAN with a PC serer that has PCs that are attached to the serer. The security issues in this situation depend on the capabilities of the software that is running on the gateway serer. Figure 13 shows an example of a gateway-serer configuration: Figure 13. iseries system with a gateway serer With some software, your iseries system will not know about any users (such as USERA or USERC) who are downstream from the gateway serer. The serer will Chapter 15. Secure workstation access 155

sign on to the system as a single user (USERGTW). It will use the USERGTW user ID to handle all requests from downstream users. A request from USERA will look to the serer like a request from user USERGTW. If this is the case, you must rely on the gateway serer for security enforcement. You must understand and manage the security capabilities of the gateway serer. From an iseries serer perspectie, eery user has the same authority as the user ID that the gateway serer uses to start the session. You might think of this as equialent to running a program that adopts authority and proides a command line. With other software, the gateway serer passes requests from indiidual users to iseries serers. The iseries serer knows that USERA is requesting access to a particular object. The gateway is almost transparent to the sytem. If your system is in a network that has gateway serers, you need to ealuate how much authority to proide to the user IDs that are used by the gateway serers. You also need to understand the following: The security mechanisms that the gateway serers enforce. How downstream users will appear to your iseries system. Wireless LAN communications Some clients might use the iseries Wireless LAN to communicate to your system without wires. The iseries Wireless LAN uses radio-frequency communications technology. As a security administrator, you should be aware of the following security characteristics of iseries Wireless LAN products: These wireless LAN products use spread spectrum technology. This same technology has been used by the goernment in the past to secure radio transmissions. To someone who attempts to electronically monitor for data transmissions, the transmissions appear to be noise rather than an actual transmission. The wireless connection has three security-releant configuration parameters: Data rate (two possible data rates) Frequency (fie possible frequencies) System identifier (8 million possible identifiers) These configuration elements combine to proide 80 million possible configurations, which makes a hacker s likelihood of guessing the correct configuration extremely slim. Just like with other communications methods, the security of wireless communications is affected by the security of the client deice. The system ID information and other configuration parameters are in a file on the client deice and should be protected. If a wireless deice is lost or stolen, normal serer security measures, such as sign-on passwords and object security, proide protection when an unauthorized user attempts to use the lost or stolen unit to access your system. If a wireless client unit is lost or stolen, you should consider changing the system ID information for all users, access points, and systems. Think of this as changing the locks on your doors if a set of keys is stolen. You might want to partition your serer into groups of clients that hae unique system IDs. This limits the impact if a unit is lost or stolen. This method works only if you can confine a group of users to a specific portion of your installation. 156 Tips and tools for securing your iseries serer V5R2

Unlike wired LAN technology, wireless LAN technology is proprietary. Therefore, no electronic sniffers are publicly aailable for these wireless LAN products. A sniffer is an electronic deice that performs unauthorized monitoring of a transmission. Chapter 15. Secure workstation access 157

158 Tips and tools for securing your iseries serer V5R2

Chapter 16. Security exit programs Some iseries serer functions proide an exit so that your system can run a user-created program to perform additional checking and alidation. For example, you can set up your system to run an exit program eery time that someone attempts to open a DDM (distributed data management) file on your system. You can use the registration function to specify exit programs that run under certain conditions. Seeral iseries publications contain examples of exit programs that perform security functions. Table 24 proides a list of these exit programs and sources for example programs. Table 24. Sources of Sample Exit Programs Type of exit program Purpose Where to find examples Password alidation The QPWDVLDPGM system alue can An Implementation Guide for iseries Security specify a program name or indicate that and Auditing, GG24 4200 alidation programs registered for the iseries Security Reference, SC41-5302-06 QIBM_QSY_VLD_PASSWRD exit point be used to check a new password for additional requirements that are not handled by the QPWDxxx system alues. The use of this program should be carefully monitored because it receies unencrypted passwords. This program should not store passwords in a file or pass them to another program. PC Support/400 or Client Access access 1 Distributed Data Management (DDM) access Remote sign on You can specify this program name in the Client request access (PCSACC) parameter of the network attributes to control the following functions: Virtual printer function File transfer function Shared folders Type 2 function Client access message function Data queues Remote SQL function You can specify this program name in the DDM request access (DDMACC) parameter of the network attributes to control the following functions: Shared folders Type 0 and 1 function Submit Remote Command function You can specify a program in the QRMTSIGN system alue to control what users can be automatically signed on from which locations (pass-through.) An Implementation Guide for iseries Security and Auditing, GG24 4200 An Implementation Guide for iseries Security and Auditing, GG24 4200 An Implementation Guide for iseries Security and Auditing, GG24 4200 Copyright IBM Corp. 1996, 2002 159

Table 24. Sources of Sample Exit Programs (continued) Type of exit program Purpose Where to find examples Open Database Connectiity (ODBC) with iseries Access 1 QSYSMSG break handling program TCP/IP User profile changes Control the following functions of ODBC: Whether ODBC is allowed at all. What functions are allowed for iseries database files. What SQL statements are allowed. What information can be retrieed about database serer objects. What SQL catalog functions are allowed. You can create a program to monitor the QSYSMSG message queue and take appropriate action (such as notifying the security administrator) depending on the type of message. Seeral TCP/IP serers (such as FTP, TFTP, TELNET, and REXEC) proide exit points. You can add exit programs to handle log-on and to alidate user requests, such as requests to get or put a specific file. You can also use these exits to proide anonymous FTP on your system. You can create exit programs for the following user profile commands: CHGUSRPRF CRTUSRPRF DLTUSRPRF RSTUSRPRF None aailable. An Implementation Guide for iseries Security and Auditing, GG24 4200 TCP/IP User Exits in the iseries System API Reference book iseries Security Reference, SC41-5302-06 TCP/IP User Exits in the iseries System API Reference book Notes: 1. Additional information on this topic can be found in the iseries Information Center. See Prerequisite and related information on page xii for more details. 160 Tips and tools for securing your iseries serer V5R2

Chapter 17. Security considerations for Internet browsers Risk: workstation damage Many PC users in your organization hae browsers on their workstations. They might connect to the Internet. They might also connect to your serer. Following are some security considerations both for the PCs and for your serer. A Web page that your user isits might hae an associated program, such as a Jaa applet, an Actie-X control, or some other type of plug-in. Although it is rare, this type of program when run on a PC has the potential to damage the information on the PC. As a security administrator, consider the following for protecting PCs in your organization: Understand the security options of the different browsers that your users hae. For example, with some browsers, you can control the access that Jaa applets hae outside the browser (the restricted operating enironment of Jaa is called the sandbox). This can preent applets from damaging PC data. Note: The sandbox concept and its associated security restrictions do not exist for Actie-X and other plug-ins. Make recommendations to your users about their browser settings. You probably do not hae either the time or the resources to ensure that users follow your recommendations. Therefore, you must educate them about the potential risks of improper settings. Consider standardizing on Web browsers that proide the security options that you need. Instruct your users to inform you of any suspicious behaior or symptoms that might be associated with particular Web sites. Risk: access to iseries directories through mapped dries Assume that a PC is connected to your serer with an IBM iseries Access for Windows session. The session set up mapped dries to link to the iseries integrated file system. For example, the PC s G drie might map to the integrated file system of the SYSTEM1 serer in the network. Now assume that the same PC user has a browser and can access the Internet. The user requests a Web page that runs a mischieous program such as a Jaa applet or Actie-X control. Conceiably, the program could attempt to erase eerything on the PC s G drie. You hae seeral protections against damage to mapped dries: Your most important protection is resource security on your serer. The Jaa applet or Actie-X control looks to the serer like the user who established the PC session. You need to carefully manage what PC users are authorized to do on your serer. Adise your PC users to set their browsers to preent attempts to access mapped dries. This works for Jaa applets but not for Actie-X controls, which do not hae the sandbox concept. Educate your users about the dangers of being connected to your serer and the Internet in the same session. Also, make sure your PC users (with Windows 95 Copyright IBM Corp. 1996, 2002 161

Risk: trusted signed applets clients, for example) understand that dries remain mapped een when the iseries Access session appears to be ended. Your users might hae followed your adice and set up their browsers to preent applets from writing to any PC dries. Howeer, your PC users need to be aware that a signed applet can oerride the setting for their browser. A signed applet has an associated digital signature to establish its authenticity. When a user accesses a Web page that has a signed applet, the user sees a message. The message indicates the applet s signature (who signed it and when it was signed). When your user accepts the applet, the user grants the applet an oerride to the security settings for the browser. The signed applet can write to the PC s local dries, een though the default setting for the browser preents it. The signed applet can also write to mapped dries on your serer because they appear to the PC to be local dries. For your own Jaa applets that come from your serer, you might need to use signed applets. Howeer, you should instruct your users in general not to accept signed applets from unknown sources. 162 Tips and tools for securing your iseries serer V5R2

Chapter 18. Related information Manuals APPC Programming, SC41-5443-00describes the adanced program-to-program communications (APPC) support for the iseries system. This book guides in deeloping application programs that use APPC and defining the communications enironment for APPC communications. It includes application program considerations, configuration requirements and commands, problem management for APPC, and general networking considerations. See the iseries: Information Center Supplemental CD-ROM. AS/400 Internet Security: Protecting Your AS/400 from HARM on the Internet, SG24-4929 discusses the security issues and risk associated with connecting your iseries to the Internet. It proides examples, recommendations, tips and techniques for TCP/IP applications. Backup and Recoery, SC41-5304-06 proides information about planning a backup and recoery strategy, saing information from your system, and recoering your system. See the iseries: Information Center Supplemental CD-ROM. Additional information on these topics can also be found in the iseries Information Center. See Prerequisite and related information on page xii for more details. CL Programming, SC41-5721-05, proides detailed descriptions for coding the data description specifications (DDS) for files that can be described externally. These files are physical, logical, display, print, and intersystem communication function (ICF) files. See the iseries: Information Center Supplemental CD-ROM The CL topic in the Information Center (See Prerequisite and related information on page xii for more details.) proides a description of all the iseries control language (CL) and its OS/400 commands. The OS/400 commands are used to request functions of the Operating System/400 (5738-SS1) licensed program. All the non-os/400 CL commands--those associated with the other licensed programs, including all the arious languages and utilities--are described in other books that support those licensed programs. Implementing iseries Security, 3rd Edition by Wayne Madden and Carol Woodbury. Loeland, Colorado: 29th Street Press, a diision of Duke Communications International, 1998. Proides guidance and practical suggestions for planning, setting up, and managing iseries security. ISBN Order Number: 1-882419-78-2 HTTP Serer for iseries Webmaster s Guide, GC41-5434-08, proides the system administration with information for configuring and managing the Internet Connection Serer and the Internet Connection Secure Serer. For more information regarding HTTP serer, see the following URL: http://www.ibm.com/eserer/iseries/software/http/docs/doc.htm iseries Security Reference, SC41-5302-06, proides complete information about security system alues, user profiles, resource security, and security auditing. This manual does not describe security for specific licensed programs, languages, and utilities. See the iseries: Information Center Supplemental CD-ROM. Copyright IBM Corp. 1996, 2002 163

The Basic system operations topic in the Information Center proides information on some of the key concepts and tasks required for iseries basic operations. See Prerequisite and related information on page xii for more details. The Information Center describes how to use and configure TCP/IP and the seeral TCP/IP applications, such as FTP, SMTP, and TELNET. See Prerequisite and related information on page xii for more details.. TCP/IP File Serer Support for OS/400 Installation and User s Guide, SC41-0125, proides introductory information, installation instructions, and setup procedures for the File Serer Support licensed program offering. It explains the functions aailable with the product and includes examples and hints for using it with other systems. Trusted Computer Systems Ealuation Criteria DoD 5200.28.STD, describes the criteria for leels of trust for computer systems. The TCSEC is a publication of the United States goernment. Copies may be obtained from: Office of Standards and Products National Computer Security Center Fort Meade, Maryland 20755-6000 USA Attention: Chief, Computer Security Standards The Information Center contains seeral topics regarding System Management and Work Management on the iseries. Some of these topics include performance data collection, system alues management, and storage management. For details on accessing the Information Center, see Prerequisite and related information on page xii. Work Management, SC41-5306-03, proides information about how to create and change a work management enironment. See the iseries: Information Center Supplemental Manuals CD-ROM. In addition to these Information Center topics and Supplemental Manuals, you can use the following resources for assistance: IBM SecureWay IBM SecureWay proides a common brand for IBM s broad portfolio of security offerings; hardware, software, consulting and serices to help customers secure their information technology. Whether addressing an indiidual need or creating a total enterprise solution, IBM SecureWay offerings proide the expertise required to plan, design, implement and operate secure solutions for businesses. For more information about IBM SecureWay offerings, isit the IBM SecureWay home page: http://www.ibm.com/secureway Serice offerings Installing new hardware or software can ultimately enhance your efficiency and business operations. But it also poses the threat of business disruption and downtime, and it can tax your aluable internal resources. IBM Global Serices proides serices that relate to iseries security. The following web site allows you to search complete listings of serices for your iseries: http://www.as.ibm.com/asus 164 Tips and tools for securing your iseries serer V5R2

Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user s responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 500 Columbus Aenue Thornwood, NY 10594 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created Copyright IBM Corp. 1996, 2002 165

programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Software Interoperability Coordinator 3605 Highway 52 N Rochester, MN 55901-7829 U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurement may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. All statements regarding IBM s future direction or intent are subject to change or withdrawal without notice, and represent goals and objecties only. All IBM prices shown are IBM s suggested retail prices, are current and are subject to change without notice. Dealer prices may ary. This information is for planning purposes only. The information herein is subject to change before the products described become aailable. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of indiiduals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on arious operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of deeloping, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples hae not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, sericeability, or function of these programs. You may copy, 166 Tips and tools for securing your iseries serer V5R2

modify, and distribute these sample programs in any form without payment to IBM for the purposes of deeloping, using, marketing, or distributing application programs conforming to IBM s application programming interfaces. If you are iewing this information softcopy, the photographs and color illustrations may not appear. Trademarks The following terms are trademarks of International Business Machines Corporation in the United States, or other countries, or both: ADSM/400 Adanced 36 Adanced Peer-to-Peer Networking AIX AnyNet Application System/400 APPN AS/400 AS/400e Client Access CT DATABASE 2 Distributed Relational Database Architecture DRDA Global Network IBM iseries iseries Access for Windows iseries Naigator iseries serer Net.Data OfficeVision Operating System/400 OS/2 OS/400 PowerPC AS QMF SAA SecureWay SmoothStart System/36 System/38 S/390 Ultimedia 400 Lotus and Lotus Notes are registered trademarks of Lotus Deelopment Corporation. Domino and Notes are trademarks of Lotus Deelopment Corporation. C-bus is a trademark of Corollary, Inc. Microsoft, Windows, Windows NT, and the Windows 95 logo are registered trademarks of Microsoft Corporation. Jaa and HotJaa are trademarks of Sun Microsystems, Inc. UNIX is a registered trademark in the United States and other countries licensed exclusiely through X/Open Company Limited. PC Direct is a registered trademark of Ziff Communications Company and is used by IBM Corporation under license. Other company, product, and serice names may be trademarks or serice marks of others. Notices 167

168 Tips and tools for securing your iseries serer V5R2

Index Special Characters (PRTPUBAUT) command, Print Publicly Authorized Objects 102 (PRTPVTAUT) command, Print Priate Authorities Objects 101 (QVFYOBJRST) erify objects on restore system alue digital signature 76 restore system alues restore system alues (QVFYOBJRST) 76 (SNMP), simple network management protocol 145 *IOSYSCFG (system configuration) special authority required for APPC configuration commands 111 *PGMADP (program adopt) audit leel 77 *SAVSYS (sae system) special authority controlling 83 *VFYENCPWD (erify encrypted password) alue 113, 117 Numerics 3270 deice emulation exit program 81 A access controlling 49 Access to the QSYS.LIB File System, Restricting 103 Accessing iseries 400 Directories through Mapped Dries 161 action when sign-on attempts reached (QMAXSGNACN) system alue recommended setting 26 alue set by CFGSYSSEC command 42 actions, auditing 57 actiating user profile 28, 34 actie profile list changing 34 Add Performance Collection (ADDPFRCOL) command exit program 81 ADDPFRCOL (Add Performance Collection) command exit program 81 adopted authority limiting 77 monitoring use 77 printing list of objects 37 Adisor, Security 17 allow object restore (QALWOBJRST) system alue suggested use 84 alue set by CFGSYSSEC command 42 allow remote sign-on (QRMTSIGN) system alue affect of *FRCSIGNON alue 112 source for sample exit program 159 using exit program 81 alue set by CFGSYSSEC command 42 Analyze Default Passwords (ANZDFTPWD) command description 34 suggested use 30 Analyze Profile Actiity (ANZPRFACT) command creating exempt users 34 description 34 suggested use 29 analyzing object authority 56 program failure 57 user profile by special authorities 37 by user class 37 user profiles 54 ANZDFTPWD (Analyze Default Passwords) command description 34 suggested use 30 ANZPRFACT (Analyze Profile Actiity) command creating exempt users 34 description 34 suggested use 29 API, Creating a Directory 105 API, Creating a Stream File with the open() or creat() 105 APPC (adanced program-to-program communications) architected security alues application examples 112 description 111 with SECURELOC (secure location) parameter 112 assigning user profile 113 basic elements 110 controller description AUTOCRTDEV (auto-create deice) parameter 119 CPSSN (control-point sessions) parameter 119 disconnect timer parameter 119 security-releant parameters 119 deice description APPN (APPN-capable) parameter 118 LOCPWD (location password) parameter 110 APPC (adanced program-to-program communications) (continued) deice description (continued) PREESTSSN (pre-establish session) parameter 118 restricting with object authority 110 role in security 110 secure location (SECURELOC) parameter 117 SECURELOC (secure location) parameter 110, 112 securing with APPN 111 security-releant parameters 117 SNGSSN (single session) parameter 118 SNUF program start parameter 119 diiding security responsibility 112 ealuating configuration 116, 120 identifying a user 111 line description 120 AUTOANS (auto answer) field 120 AUTODIAL (auto dial) field 120 security-releant parameters 120 remote command 116 restricting with PGMEVOKE entry 116 restricting sessions 110 security tips 109 session 110 starting passthrough job 114 terminology 109 APPC Communications, Basic Elements 110 APPC Sessions, Restricting 110 APPC User Gains Entrance to the Target System 111 APPN-capable (ANN) parameter 118 architected security alues application examples 112 description 111 with SECURELOC (secure location) parameter 112 architected transaction program names list of IBM-supplied 91 architecture transaction program names security tips 90 assigning user profile for APPC job 113 attention program exit program 81 printing for user profiles 65 audit (QAUDJRN) journal damaged 58 managing 57 receier storage threshold 58 system entries 58 audit control (QAUDCTL) system alue changing 35 Copyright IBM Corp. 1996, 2002 169

audit control (QAUDCTL) system alue (continued) displaying 35 audit journal printing entries 37 audit leel (QAUDLVL) system alue changing 35 displaying 35 auditing object authority 56 object integrity 56 program failure 57 auditing actions 57 Auditing Security Functions 54 auditing, security suggestions for using *PGMADP audit leel 77 *PGMFAIL alue 76 *SAVRST alue 76 *SECURITY alue 76 CP (Change Profile) journal entry 28, 29 object auditing 121 oeriew 92 SV (system alue) journal entry 84 authority *SAVSYS (sae system) special authority 83 controlling 83 access to restore commands 83 access to sae commands 83 adopted 77 auditing 57 limiting 77 monitoring 77 at security leel 10 or 20 49 data access by PC users 150 getting started 51 introduction 9 job queues 63 library security 53 managing 59 monitoring 59, 63 national languages 53 new objects 60 output queues 63 oeriew 49 public 59 security tool commands 33 special 64 supplementing menu access control 50 transition enironment 51 when enforced 49 authority, object See object authority authorization list controlling use-adopted-authority 79 monitoring 60 printing authority information 37, 60 auto answer (AUTOANS) field 120 auto dial (AUTODIAL) field 120 auto-create controller (AUTOCRTCTL) parameter 119 AUTOANS (auto answer) field 120 AUTOCRTCTL (auto-create controller) parameter 119 AUTODIAL (auto dial) field 120 automatic cleanup exit program 81 automatic configuration (QAUTOCFG) system alue recommended setting 26 alue set by CFGSYSSEC command 42 automatic irtual-deice configuration (QAUTOVRT) system alue recommended setting 26 alue set by CFGSYSSEC command 42 Automatically Controlling Which TCP/IP Serers Start 124 aoiding security tool file conflicts 33 B backup list exit program 81 Basic Elements of APPC Communications 110 basic elements of security 7 Basics of an APPC Session 110 bibliography 163 BOOTP (Bootstrap Protocol) restricting port 131 security tips 130 Bootstrap Protocol (BOOTP) restricting port 131 security tips 130 Browsers, Security Considerations 161 bypassing sign-on security implications 153 C CFGSYSSEC (Configure System Security) command description 41 suggested use 19 Change Actiation Schedule Entry (CHGACTSCDE) command description 34 suggested use 28 Change Actie Profile List (CHGACTPRFL) command description 34 suggested use 29 Change Backup (CHGBCKUP) command exit program 81 Change Expiration Schedule Entry (CHGEXPSCDE) command description 34 suggested use 29 Change Message Description (CHGMSGD) command exit program 81 Change Performance Collection (CHGPFRCOL) command exit program 81 Change Security Auditing (CHGSECAUD) command description 35 suggested use 92 Change System Library List (CHGSYSLIBL) command restricting access 84 changing actie profile list 34 IBM-supplied passwords 25 security auditing 35 sign-on error messages 27 uid 107 well-known passwords 25 Check Object Integrity (CHKOBJITG) command description 37, 56 suggested use 76 checking altered objects 56 default passwords 34 hidden programs 81 object integrity 37, 76 description 56 CHGACTPRFL (Change Actie Profile List) command description 34 suggested use 29 CHGACTSCDE (Change Actiation Schedule Entry) command description 34 suggested use 28 CHGBCKUP (Change Backup) command exit program 81 CHGEXPSCDE (Change Expiration Schedule Entry) command description 34 suggested use 29 CHGMSGD (Change Message Description) command exit program 81 CHGPFRCOL (Change Performance Collection) command exit program 81 CHGSECAUD (Change Security Auditing) command description 35 suggested use 92 CHGSYSLIBL (Change System Library List) command restricting access 84 CHKOBJITG (Check Object Integrity) command description 37, 56 suggested use 76 cleanup, automatic exit program 81 Client Access bypassing sign-on 153 controlling data access 149 data access methods 149 file transfer 149 gateway serers 155 implications of integrated file system 149 object authority 150 password encryption 153 170 Tips and tools for securing your iseries serer V5R2

Client Access (continued) preenting PC iruses 149 protecting from remote commands 155 restricting remote commands 154 security implications 149 iruses on PCs 149 client request access (PCSACC) network attribute restricting PC data access 149 source for sample exit program 159 using exit program 81 client system definition 109 command reoking public authority 41 command capability listing users 55 command, CL actiation schedule 34 ADDPFRCOL (Add Performance Collection) exit program 81 ANZDFTPWD (Analyze Default Passwords) description 34 suggested use 30 ANZPRFACT (Analyze Profile Actiity) creating exempt users 34 description 34 suggested use 29 CFGSYSSEC (Configure System Security) description 41 suggested use 19 Check Object Integrity (CHKOBJITG) description 56 CHGACTPRFL (Change Actie Profile List) description 34 suggested use 29 CHGACTSCDE (Change Actiation Schedule Entry) description 34 suggested use 28 CHGBCKUP (Change Backup) exit program 81 CHGEXPSCDE (Change Expiration Schedule Entry) description 34 suggested use 29 CHGMSGD (Change Message Description) exit program 81 CHGPFRCOL (Change Performance Collection) exit program 81 CHGSECAUD (Change Security Auditing) description 35 suggested use 92 CHGSYSLIBL (Change System Library List) restricting access 84 CHKOBJITG (Check Object Integrity) description 37, 56 command, CL (continued) CHKOBJITG (Check Object Integrity) (continued) suggested use 76 CRTPRDLOD (Create Product Load) exit program 81 Display Authorized Users (DSPAUTUSR) auditing 54 Display Library (DSPLIB) 56 Display Object Authority (DSPOBJAUT) 56 Display Object Description (DSPOBJD) using output file 55 Display Programs That Adopt (DSPPGMADP) auditing 57 Display User Profile (DSPUSRPRF) using output file 55 DSPACTPRFL (Display Actie Profile List) description 34 DSPACTSCD (Display Actiation Schedule) description 34 DSPAUDJRNE (Display Audit Journal Entries) description 37 suggested use 92 DSPAUTUSR (Display Authorized Users) auditing 54 DSPEXPSCD (Display Expiration Schedule) description 34 suggested use 30 DSPLIB (Display Library) 56 DSPOBJAUT (Display Object Authority) 56 DSPOBJD (Display Object Description) using output file 55 DSPPGMADP (Display Programs That Adopt) auditing 57 DSPSECAUD (Display Security Auditing) description 35 DSPUSRPRF (Display User Profile) using output file 55 ENDPFRMON (End Performance Monitor) exit program 81 PRTADPOBJ (Print Adopting Objects) description 37 PRTCMNSEC (Print Communications Security) description 37 example 116, 120 PRTJOBDAUT (Print Job Description Authority) description 37 suggested use 89 PRTPUBAUT (Print Publicly Authorized Objects) description 37 suggested use 110 command, CL (continued) PRTPVTAUT (Print Priate Authorities) authorization list 37, 60 description 39 suggested use 110 PRTQAUT (Print Queue Authority) description 39 PRTSBSDAUT (Print Subsystem Description) description 37 suggested use 114 PRTSYSSECA (Print System Security Attributes) description 37 sample output 11 suggested use 19 PRTTRGPGM (Print Trigger Programs) description 37 PRTUSROBJ (Print User Objects) description 37 suggested use 84 PRTUSRPRF (Print User Profile) description 37 enironment information example 66 mismatched example 65 password information 28, 30 special authorities example 64 RCVJRNE (Receie Journal Entries) exit program 81 RUNRMTCMD (Run Remote Command) restricting 155 RVKPUBAUT (Reoke Public Authority) description 41 details 44 suggested use 87 SBMRMTCMD (Submit Remote Command) restricting 116 security tools 34 Send Journal Entry (SNDJRNE) 57 SETATNPGM (Set Attention Program) exit program 81 SNDJRNE (Send Journal Entry) 57 STREML3270 (Start 3270 Display Emulation) exit program 81 STRPFRMON (Start Performance Monitor) exit program 81 STRTCP (Start TCP/IP) restricting 121 TRCJOB (Trace Job) exit program 81 WRKREGINF (Work with Registration Information) exit program 82 WRKSBSD (Work with Subsystem Description 87 Command, iseries 400 Create Directory 104 command, Print Priate Authorities Objects (PRTPVTAUT) 101 Index 171

command, Print Publicly Authorized Objects (PRTPUBAUT) 102 commit operation exit program 81 communications entry default user 113 mode 113 security tips 88 Communications, Basic Elements of APPC 110 Communications, Securing APPC 109 computer irus definition 75 iseries serer protection mechanisms 76 protecting against 75 scanning for 76 configuration files, TCP/IP restricting access 123 Configure System Security (CFGSYSSEC) command description 41 suggested use 19 Connections, Controlling Dial-In SLIP 126 contents security tools 34 control-point sessions (CPSSN) parameter 119 controller description printing security-releant parameters 37 controlling *SAVSYS (sae system) special authority 83 access to information 49 to restore commands 83 to sae commands 83 adopted authority 77 APPC deice description 110 APPC sessions 110 architecture transaction program names 90 changes to library list 84 data access from PCs 149 exit programs 81 manager Internet address (INTNETADR) parameter 146 open database connectiity (ODBC) 153 passwords 19 PC (personal computer) 149 remote commands 116, 154 restore capability 83 sae capability 83 scheduled programs 83 signing on 19 subsystem descriptions 87 System/36 file transfer 53 TCP/IP configuration files 123 entry 121 exits 148 trigger programs 80 Controlling Dial-In SLIP Connections 126 Controlling Which TCP/IP Serers Start Automatically 124 CP (Change Profile) journal entry suggested use 28, 29 CPF1107 message 27 CPF1120 message 27 CPSSN (control-point sessions) parameter 119 Create Directory Command 104 Create Product Load (CRTPRDLOD) command exit program 81 Creating a Directory with an API 105 Creating a Stream File with the open() or creat() API 105 Creating an Object by Using a PC Interface 105 CRTPRDLOD (Create Product Load) command exit program 81 current library (CURLIB) parameter 65 customizing security alues 41 D damaged audit journal 58 database file exit program for usage information 81 protecting from PC access 149 DDMACC (DDM request access) network attribute restricting PC data access 149 restricting remote commands 154 source for sample exit program 159 using exit program 81, 116 deactiating user profile 28 Dedicated Serice Tools (DST) passwords 26 default user communications entry possible alues 113 for architecture TPN 90 Detecting Suspicious Programs 75 deice description printing security-releant parameters 37 deice recoery action (QDEVRCYACN) system alue aoiding security exposure 116 recommended setting 26 alue set by CFGSYSSEC command 42 DHCP (dynamic host configuration protocol) restricting port 132 security tips 131 Dial-In Users Accessing Other Systems, Preenting 127 digital signatures introduction 86 Directories, Securing 104 disabling user profile automatically 29, 34 disabling (continued) user profile (continued) impact 30 disconnect timer parameter 119 disconnected job time-out interal (QDSCJOBITV) system alue recommended setting 26 alue set by CFGSYSSEC command 42 Display Actiation Schedule (DSPACTSCD) command description 34 Display Audit Journal Entries (DSPAUDJRNE) command description 37 suggested use 92 Display Authorization List Objects report 61 Display Authorized Users (DSPAUTUSR) command auditing 54 Display Authorized Users (DSPAUTUSR) display 54 Display Expiration Schedule (DSPEXPSCD) command description 34 suggested use 30 Display Library (DSPLIB) command 56 Display Object Authority (DSPOBJAUT) command 56 Display Object Description (DSPOBJD) command using output file 55 Display Programs That Adopt (DSPPGMADP) command auditing 57 Display Security Auditing (DSPSECAUD) command description 35 display sign-on information (QDSPSGNINF) system alue recommended setting 26 alue set by CFGSYSSEC command 42 Display User Profile (DSPUSRPRF) command using output file 55 displaying authorized users 54 group profile members 51 object authority 56 programs that adopt 57 QAUDCTL (audit control) system alue 35 QAUDLVL (audit leel) system alue 35 security auditing 35 user profile actiation schedule 34 actie profile list 34 expiration schedule 34 priate authorities 90 Distribute Program Call APIs 154 DNS (domain name system) restricting port 137 security tips 136 172 Tips and tools for securing your iseries serer V5R2

domain name system (DNS) restricting port 137 security tips 136 downloading authority required 150 DSPACTPRFL (Display Actie Profile List) command description 34 DSPACTSCD (Display Actiation Schedule) command description 34 DSPAUDJRNE (Display Audit Journal Entries) command description 37 suggested use 92 DSPAUTUSR (Display Authorized Users) command auditing 54 DSPEXPSCD (Display Expiration Schedule) command description 34 suggested use 30 DSPLIB (Display Library) command using 56 DSPOBJAUT (Display Object Authority) command using 56 DSPOBJD (Display Object Description) command using output file 55 DSPPGMADP (Display Programs That Adopt) command auditing 57 DSPSECAUD (Display Security Auditing) command description 35 DSPUSRPRF (Display User Profile) command using output file 55 DST (Dedicated Serice Tools) passwords 26 dynamic host configuration protocol (DHCP) restricting port 132 security tips 131 E enabling user profile automatically 34 encryption password PC sessions 153 End Performance Monitor (ENDPFRMON) command exit program 81 ENDPFRMON (End Performance Monitor) command exit program 81 enhanced integrity protection security leel (QSECURITY) 50 7 ealuating registered exit 82 scheduled programs 83 exit program 3270 emulation function key 81 exit program (continued) allow remote sign-on (QRMTSIGN) system alue 81, 159 attention program 81 automatic cleanup (QEZUSRCLNP) 81 backup list (CHGBCKUP command) 81 change message description (CHGMSGD command) 81 client request access (PCSACC) network attribute 81, 159 commit operation 81 create product load (CRTPRDLOD command) 81 database file usage 81 DDM request access (DDMACC) network attribute 81, 159 ealuating 81 file system functions 81 format selection 81 logical file format selection 81 message description 81 open database connectiity (ODBC) 159 password alidation program (QPWDVLDPGM) system alue 81, 159 performance collection 81 printer deice description 81 QATNPGM (attention program) system alue 81 QHFRGFS API 81 QTNADDCR API 81 QUSCLSXT program 81 RCVJRNE command 81 receiing journal entries 81 registration function 82 rollback operation 81 separator pages 81 SETATNPGM (Set Attention Program) command 81 sources 159 STREML3270 (Start 3270 Display Emulation) command 81 TRCJOB (Trace Job) command 81 expiration user profile displaying schedule 34 setting schedule 29, 34 F file security tools 33 file system function exit program 81 File System, Integrated 97 File System, Network 106 File System, QFileSr.400 105 File System, Restricting Access to the QSYS.LIB 103 File Systems, Root (/), QOpenSys, and User-Defined 99 File Systems, Security for the Root (/), QOpenSys, and User-Defined 100 file transfer PC (personal computer) 149 restricting 53 file transfer protocol (FTP) source for sample exit program 159 file usage exit program 81 FMTSLR (record format selection program) parameter 81 force create (FRCCRT) parameter 76 forcing program creation 76 FRCCRT (force create) parameter 76 FTP (file transfer protocol) source for sample exit program 159 full audit (QAUDJRN) journal receier 58 Functions, Auditing Security 54 G gateway serer security issues 155 global settings 8 group profile introduction 9 H hidden program checking for 81 I IBM-supplied profile changing password 25 ICS (Internet Connection Serer) description 138 preenting autostart serer 138 security tips 138 ICSS (Internet Connection Secure Serer) description 143 security tips 143 identifying APPC user 111 inactie user listing 55 inactie job message queue (QINACTMSGQ) system alue recommended setting 26 alue set by CFGSYSSEC command 42 inactie job time-out interal (QINACTITV) system alue recommended setting 26 alue set by CFGSYSSEC command 42 INETD 147 initial menu (INLMNU) parameter 65 initial program (INLPGM) parameter 65 integrated file system security implications 149 Integrated File System 97 Integrated File System, Security 97 Index 173

integrity checking description 56 integrity protection security leel (QSECURITY) 40 7 intermediate node routing 118 Internet Connection Secure Serer (ICSS) description 143 security tips 143 Internet Connection Serer (ICS) description 138 preenting autostart serer 138 security tips 138 INTNETADR (manager Internet address) parameter restricting 146 iseries 400 Create Directory Command 104 iseries 400 Directories through Mapped Dries, Accessing 161 iseries Access Express, Using SSL 152 iseries Access for Windows using SSL with 152 iseries Naigator, Security 152 iseries security adisor 15 iseries security wizard 15 J job description printing for user profiles 65 printing security-releant parameters 37 security tips 89 job queue monitoring access 63 printing security-releant parameters 39 job queue entry security tips 88 job scheduler ealuating programs 83 job, APPC assigning user profile 113 JOBACN (network job action) network attribute 116 journal entry CP (Change Profile) suggested use 28, 29 receiing exit program 81 sending 57 journal receier, audit storage threshold 58 L large user profile 55 library listing all libraries 56 contents 56 library list security implications 84 library security 53 Lightweight Directory Access Protocol (LDAP) security features 144 limit security officer (QLMTSECOFR) system alue recommended setting 26 alue set by CFGSYSSEC command 42 limiting adopted 77 capabilities listing users 55 line printer daemon (LDP) description 144 preenting autostart serer 144 restricting port 145 security tips 144 listing all libraries 56 library contents 56 selected user profiles 55 local system definition 109 location password APPN 111 location password (LOCPWD) parameter 110 LOCPWD (location password) parameter 110 logical file exit program for record format selection 81 logical partitions, security 70 LP Security 69 LPD (line printer daemon) description 144 preenting autostart serer 144 restricting port 145 security tips 144 M management protocol (SNMP), simple network 145 manager Internet address (INTNETADR) parameter restricting 146 managing adopted authority 77 audit journal 57 authority 59 authority to new objects 60 authorization lists 60 job queues 63 output queues 63 priate authority 63 public authority 59 restore capability 76, 83 sae capability 76, 83 scheduled programs 83 special authority 64 subsystem description 87 trigger programs 80 user enironment 65 Mapped Dries, Accessing iseries 400 Directories through 161 maximum size audit (QAUDJRN) journal receier 58 maximum sign-on attempts (QMAXSIGN) system alue recommended setting 26 alue set by CFGSYSSEC command 42 menu security tools 34 menu access control description 49 menu access limitations 50 supplementing with object authority 50 transition enironment 51 user profile parameters 50 menu security description 49 menu access limitations 50 supplementing with object authority 50 transition enironment 51 user profile parameters 50 message CPF1107 27 CPF1120 27 exit program 81 message queue (MSGQ) parameter 65 Methods That the System Uses to Send Information about a User 111 Mischief, Preenting and Detecting 85 mode communications entry 113 monitoring adopted authority 77 authority 59 authority to new objects 60 authorization lists 60 job queues 63 object authority 56 object integrity 56 output queues 63 password actiity 30 priate authority 63 program failure 57 public authority 59 restore capability 76, 83 sae capability 76, 83 scheduled programs 83 sign-on actiity 30 special authority 64 subsystem description 87 trigger programs 80 user enironment 65 user profile changes 85 N national language support object authority 53 network attribute command for setting 41 DDMACC (DDM request access) restricting PC data access 149 174 Tips and tools for securing your iseries serer V5R2

network attribute (continued) DDMACC (DDM request access) (continued) restricting remote commands 154 source for sample exit program 159 using exit program 81, 116 JOBACN (network job action) 116 PCSACC (client request access) restricting PC data access 149 source for sample exit program 159 using exit program 81 printing security-releant 11, 37 Network File System 106 network job action (JOBACN) network attribute 116 new object managing authority 60 New Objects, Security 104 Notices 165 O object altered checking 56 authority source printing list 60 managing authority to new 60 printing adopted authority 37 authority source 37 non-ibm 37 object authority *SAVSYS (sae system) special authority 83 controlling 83 access to restore commands 83 access to sae commands 83 adopted 77 limiting 77 monitoring 77 analyzing 56 at security leel 10 or 20 49 data access by PC users 150 displaying 56 getting started 51 introduction 9 job queues 63 library security 53 managing 59 monitoring 59, 63 national languages 53 new objects 60 output queues 63 oeriew 49 public 59 security tool commands 33 special 64 supplementing menu access control 50 transition enironment 51 when enforced 49 object integrity auditing 56 object ownership 53 object signing instroduction 86 object-based system protecting against computer iruses 75 security implications 49 Objects, Security for New 104 ODBC (open database connectiity) controlling access 153 source for sample exit program 159 one-way encryption 30 open database connectiity (ODBC) controlling access 153 source for sample exit program 159 Operations Console cryptography 71 data integrity 73 data priacy 72 deice authentication 72 direct connectiity 72, 73 LAN connectiity 72, 73 remote console 71 serice tools user profiles 71 setup wizard 73 userprofiles 71 using 71 usre authentication 72 Operations Console with LAN connectiity changing password 73 setup wizard serice tools deice profile 73 serice tools deice profile password 73 using 73 output queue monitoring access 63 printing for user profiles 65 printing security-releant parameters 39 ownership, objects 53 P partitions, logical 70 passthrough job starting 114 password changing IBM-supplied 25 checking for default 34 default 30 encryption PC sessions 153 expiration interal (QPWDEXPITV) system alue recommended setting 19 alue set by CFGSYSSEC command 42 limit repeated characters (QPWDLMTREP) system alue recommended setting 19 alue set by CFGSYSSEC command 42 maximum length (QPWDMAXLEN) system alue recommended setting 19 password (continued) maximum length (QPWDMAXLEN) system alue (continued) alue set by CFGSYSSEC command 42 minimum length (QPWDMINLEN) system alue recommended setting 19 alue set by CFGSYSSEC command 42 monitoring actiity 30 one-way encryption 30 QPGMR (programmer) user profile 43 QSRV (serice) user profile 43 QSRVBAS (basic serice) user profile 43 QSYSOPR (system operator) user profile 43 QUSER (user) user profile 43 require numeric character (QPWDRQDDGT) system alue recommended setting 19 alue set by CFGSYSSEC command 42 require position difference (QPWDPOSDIF) system alue recommended setting 19 alue set by CFGSYSSEC command 42 required difference (QPWDRQDDIF) system alue recommended setting 19 alue set by CFGSYSSEC command 42 restrict adjacent characters (QPWDLMTAJC) system alue recommended setting 19 alue set by CFGSYSSEC command 42 restrict characters (QPWDLMTCHR) system alue recommended setting 19 alue set by CFGSYSSEC command 42 setting rules 19 storing 31 alidation program (QPWDVLDPGM) system alue recommended setting 19 alue set by CFGSYSSEC command 42 password leels changing 20, 21, 23, 24 introduction 20 planning 20 setting 20 password required difference (QPWDRQDDIF) system alue alue set by CFGSYSSEC command 42 password alidation program (QPWDVLDPGM) system alue source for sample exit program 159 using exit program 81 passwords changing 25 Index 175

PC (personal computer) bypassing sign-on 153 controlling data access 149 data access methods 149 file transfer 149 gateway serers 155 implications of integrated file system 149 object authority 150 password encryption 153 preenting PC iruses 149 protecting from remote commands 155 restricting remote commands 154 security implications 149 iruses on PCs 149 PCSACC (client request access) network attribute restricting PC data access 149 source for sample exit program 159 using exit program 81 performance collection exit program 81 physical security 85 piggy-backing 118 planning password leel changes changing password leel from 1to 0 24 changing password leel from 2 to 1 24 changing password leel from 2to 0 24 changing password leel from 3 to 0 24 changing password leel from 3 to 1 24 changing password leel from 3 to 2 23 changing password leels planning leel changes 20, 21 changing password leels (0 to 1) 21 changing password leels (0 to 2) 21 changing password leels (1 to 2) 21 changing password leels (2 to 3) 23 decreasing password leels 23, 24 increasing password leel 21 QPWDLVL changes 20, 21 point-to-point (PPP) protocol security considerations 129 pre-establish session (PREESTSSN) parameter 118 PREESTSSN (pre-establish session) parameter 118 preenting TCP/IP entry 121 Preenting and Detecting Mischief 85 Preenting Dial-In Users from Accessing Other Systems 127 Print Adopting Objects (PRTADPOBJ) command description 37 Print Communications Security (PRTCMNSEC) command description 37 example 116, 120 Print Job Description Authority (PRTJOBDAUT) command description 37 suggested use 89 Print Priate Authorities (PRTPVTAUT) command authorization list 37, 60 description 39 suggested use 110 Print Priate Authorities Objects (PRTPVTAUT) command 101 Print Publicly Authorized Objects (PRTPUBAUT) command 102 description 39 suggested use 110 Print Queue Authority (PRTQAUT) command description 39 Print Subsystem Description (PRTSBSDAUT) command description 37 suggested use 114 Print System Security Attributes (PRTSYSSECA) command description 37 sample output 11 suggested use 19 Print Trigger Programs (PRTTRGPGM) command description 37 Print User Objects (PRTUSROBJ) command description 37 suggested use 84 Print User Profile (PRTUSRPRF) command description 37 enironment information example 66 mismatched example 65 password information 28, 30 special authorities example 64 printer deice description exit program for separator pages 81 printing adopted object information 37 audit journal entries 37 authorization list information 37, 60 list of non-ibm objects 37 network attributes 37 publicly authorized objects 39 security-releant communications settings 37 security-releant job queue parameters 39 security-releant output queue parameters 39 security-releant subsystem description alues 37 system security attributes 11 system alues 37 trigger programs 37 Priate Authorities Objects (PRTPVTAUT) command, Print 101 priate authority monitoring 63 profile analyzing with query 54 profile (continued) user 54 large, examining 55 listing inactie 55 listing selected 55 listing users with command capability 55 listing users with special authorities 55 program adopt authority function auditing 57 forcing creating 76 hidden checking for 81 scheduled ealuating 83 program adopt (*PGMADP) audit leel 77 program failure auditing 57 program alidation alue 76 programs that adopt displaying 57 programs that adopt authority limiting 77 monitoring use 77 Programs, Using Security Exit 159 protected library checking for user objects 84 protecting against computer iruses 75 TCP/IP port applications 123 protocol (SNMP), simple network management 145 PRTADPOBJ (Print Adopting Objects) command description 37 PRTCMNSEC (Print Communications Security) command description 37 example 116, 120 PRTJOBDAUT (Print Job Description Authority) command description 37 suggested use 89 PRTPUBAUT (Print Publicly Authorized Objects) command description 37 suggested use 110 PRTPVTAUT (Print Priate Authorities) command authorization list 37, 60 description 39 suggested use 110 PRTQAUT (Print Queue Authority) command description 39 PRTSBSDAUT (Print Subsystem Description) command description 37 suggested use 114 PRTSYSSECA (Print System Security Attributes) command description 37 sample output 11 suggested use 19 176 Tips and tools for securing your iseries serer V5R2

PRTTRGPGM (Print Trigger Programs) command description 37 PRTUSROBJ (Print User Objects) command description 37 suggested use 84 PRTUSRPRF (Print User Profile) command description 37 enironment information example 66 mismatched example 65 password information 28, 30 special authorities example 64 public authority monitoring 59 printing 39 reoking 41 reoking with RVKPUBAUT command 44 public authority to the root directory 101 public user definition 59 publications related 163 Publicly Authorized Objects (PRTPUBAUT) command, Print 102 Q QALWOBJRST (allow object restore) system alue suggested use 84 alue set by CFGSYSSEC command 42 QAUDCTL (audit control) system alue changing 35 displaying 35 QAUDJRN (audit) journal damaged 58 managing 57 receier storage threshold 58 system entries 58 QAUDLVL (audit leel) system alue changing 35 displaying 35 QAUTOCFG (automatic configuration) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QAUTOVRT (automatic irtual-deice configuration) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QCONSOLE default password 73 QDEVRCYACN (deice recoery action) system alue aoiding security exposure 116 recommended setting 26 alue set by CFGSYSSEC command 42 QDSCJOBITV (disconnected job time-out interal) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QDSPSGNINF (display sign-on information) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QEZUSRCLNP exit program 81 QFileSr.400 File System 105 QHFRGFS API exit program 81 QINACTITV (inactie job time-out interal) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QINACTMSGQ (inactie job message queue) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QLMTSECOFR (limit security officer) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QMAXSGNACN (action when sign-on attempts reached) system alue recommended setting 26 alue set by CFGSYSSEC command 42 QMAXSIGN (maximum sign-on attempts ) recommended setting 26 QMAXSIGN (maximum sign-on attempts) system alue alue set by CFGSYSSEC command 42 QPGMR (programmer) user profile password set by CFGSYSSEC command 43 QPWDEXPITV (password expiration interal) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTAJC (password restrict adjacent characters) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTCHR (password restrict characters) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDMAXLEN (password maximum length) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDMINLEN (password minimum length) system alue recommended setting 19 QPWDMINLEN (password minimum length) system alue (continued) alue set by CFGSYSSEC command 42 QPWDPOSDIF (password require position difference) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDRQDDGT (password require numeric character) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDRQDDIF (password required difference) system alue recommended setting 19 alue set by CFGSYSSEC command 42 QPWDVLDPGM (password alidation program) system alue recommended setting 19 source for sample exit program 159 using exit program 81 alue set by CFGSYSSEC command 42 QPWFSERVER 103 QRETSVRSEC (Retain Serer Security Data) system alue description 31 using for SLIP dial-out 128 QRMTSIGN (allow remote sign-on) system alue affect of *FRCSIGNON alue 112 source for sample exit program 159 using exit program 81 alue set by CFGSYSSEC command 42 QSECURITY (security leel) system alue description 7 alue set by CFGSYSSEC command 42 QSRV (serice) user profile password set by CFGSYSSEC command 43 QSRVBAS (basic serice) user profile password set by CFGSYSSEC command 43 QSYS.LIB File System, Restricting Access to 103 QSYS38 (System/38) library restricting commands 53 QSYSCHID (Change uid) API 107 QSYSLIBL (system library list) system alue protecting 84 QSYSMSG (system message) message queue source for sample exit program 159 suggested use 92 QSYSOPR (system operator) user profile password set by CFGSYSSEC command 43 QTNADDCR API exit program 81 QUSCLSXT program 81 Index 177

QUSEADPAUT (use adopted authority) system alue 79 QUSER (user) user profile password set by CFGSYSSEC command 43 QVFYOBJRST (Verify Object Restore) system alue 86 QVFYOBJRST (erify object restore) system alue suggested use 84 R RCVJRNE (Receie Journal Entries) exit program 81 Receie Journal Entries (RCVJRNE) exit program 81 receiing journal entries exit program 81 recommendation password system alues 19 sign-on system alues 26 record format selection program (FMTSLR) parameter 81 recoering damaged audit journal 58 registered exit ealuating 82 related publications 163 remote command preenting 116, 154 restricting with PGMEVOKE entry 116 Remote EXECution serer (REXECD) restricting port 135 security tips 135 remote job preenting 116 remote location name entry security tips 88 remote system definition 109 remoing inactie user profiles 29 PGMEVOKE routing entries 116 user profile automatically 29, 34 resource security definition 7 introduction 9 limit access introduction 9 restore capability controlling 83 monitoring 76 restore command restricting access 83 Restricting Access to the QSYS.LIB File System 103 Restricting APPC Sessions 110 Retain Serer Security Data (QRETSVRSEC) system alue description 31 using for SLIP dial-out 128 Reoke Public Authority (RVKPUBAUT) command description 41 Reoke Public Authority (RVKPUBAUT) command (continued) details 44 suggested use 87 reoking public authority 41 REXECD (Remote EXECution serer) restricting port 135 security tips 135 roaming, TCP/IP restricting 148 rollback operation exit program 81 Root (/), QOpenSys, and User-Defined File Systems 99 root directory, public authority 101 Route Daemon (RouteD) security tips 136 RouteD (Route Daemon) security tips 136 routing entry remoing PGMEVOKE entry 116 security tips 88 Run Remote Command (RUNRMTCMD) command restricting 155 RUNRMTCMD (Run Remote Command) command restricting 155 RVKPUBAUT (Reoke Public Authority) command description 41 details 44 suggested use 87 S sae capability controlling 83 monitoring 76 sae command restricting access 83 saing security tools 34 SBMRMTCMD (Submit Remote Command) command restricting 116 scan object alterations 56 scheduling user profile actiation 28, 34 deactiation 28 expiration 29, 34 SECBATCH (Submit Batch Reports) menu submitting reports 36 secure bind 110 secure location (SECURELOC) parameter 117 *VFYENCPWD (erify encrypted password) alue 113, 117 description 112 diagram 110 secure sockets layer (SSL) using with iseries Access for Windows 152 secure Web site 143 SECURE(NONE) description 111 SECURE(PROGRAM) description 111 SECURE(SAME) description 111 SECURELOC (secure location) parameter 117 *VFYENCPWD (erify encrypted password) alue 113, 117 description 112 diagram 110 securing security tools 33 TCP/IP communications 121 Securing APPC Communications 109 Securing Directories 104 Security Adisor 17 Security and iseries Naigator 152 security attributes printing 11 security audit journal printing entries 37 security auditing displaying 35 introduction 11, 54 restore operations 84 setting up 35 suggestions for using *PGMADP audit leel 77 *PGMFAIL alue 76 *SAVRST alue 76 *SECURITY alue 76 CP (Change Profile) journal entry 28, 29 object auditing 121 oeriew 92 SV (system alue) journal entry 84 Security Considerations for Browsers 161 Security Exit Programs, Using 159 Security for New Objects 104 Security for the Root (/), QOpenSys, and User-Defined File Systems 100 Security Functions, Auditing 54 security leel (QSECURITY) system alue description 7 alue set by CFGSYSSEC command 42 security leel 10 migrating from 49 object authority 49 security leel 20 migrating from 49 object authority 49 security tools authority for commands 33 commands 34 contents 34 file conflicts 33 files 33 menus 34 protecting output 33 saing 34 securing 33 178 Tips and tools for securing your iseries serer V5R2

security alue setting 41 security alue, architected application examples 112 description 111 with SECURELOC (secure location) parameter 112 Security Wizard 15 Security, Integrated File System Approach 97 Security, LP 69 security, physical 85 SECURITY(NONE) with *FRCSIGNON alue for QRMTSIGN system alue 112 Send Journal Entry (SNDJRNE) command 57 sending journal entry 57 separator page exit program 81 Serial Interface Line Protocol (SLIP) controlling 125 description 125 securing dial in 126 securing dial-out 128 serer definition 109 serice tool user profiles DST management 66 serice tool user profiles (DST) 66 serice tools user profiles (serice tools) 66 serice tools deice profile attributes console 73 changing password 73 default password 73 password 73 protecting 73 Serice Tools Serer (STS) logical partitions 70 Session, Basics of an APPC 110 Set Attention Program (SETATNPGM) command exit program 81 SETATNPGM (Set Attention Program) command exit program 81 setting network attributes 41 security alues 41 system alues 41 setting up security auditing 35 Sign On display changing error messages 27 sign-on security definition 7 Signed Applets, Trusting 162 signing objects 86 signing on bypassing 153 controlling 19 monitoring attempts 30 setting system alues 26 simple network management protocol (SNMP) 145 preenting autostart serer 145 restricting port 146 security tips 145, 147 single session (SNGSSN) parameter 118 SLIP (Serial Interface Line Protocol) controlling 125 description 125 securing dial in 126 securing dial-out 128 SNDJRNE (Send Journal Entry) command 57 SNGSSN (single session) parameter 118 sniffing 153 SNMP (simple network management protocol) preenting autostart serer 145 restricting port 146 security tips 145, 147 SNUF program start parameter 119 source security exit programs 159 source system definition 109 special authority *SAVSYS (sae system) controlling 83 analyzing assignment 37 listing users 55 mismatch with user class 65 monitoring 64 SSL using with iseries Access for Windows 152 Start 3270 Display Emulation (STREML3270) command exit program 81 Start Performance Monitor (STRPFRMON) command exit program 81 Start TCP/IP (STRTCP) command restricting 121 starting passthrough job 114 storage threshold audit (QAUDJRN) journal receier 58 storing passwords 31 STRPFRMON (Start Performance Monitor) command exit program 81 STRTCP (Start TCP/IP) command restricting 121 STS (Serice Tools Serer) logical partitions 70 Submit Remote Command (SBMRMTCMD) command restricting 116 submitting security reports 36 subsystem description communications entry default user 113 mode 113 subsystem description (continued) monitoring security-releant alues 87 printing security-releant parameters 37 routing entry remoing PGMEVOKE entry 116 security tips autostart job entry 87 communications entry 88 job queue entry 88 prestart job entry 89 remote location name entry 88 routing entry 88 workstation name entry 88 workstation type entry 88 security-releant alues 87 Suspicious Programs, Detecting 75 SV (system alue) journal entry suggested use 84 system change-journal management support 58 system configuration (*IOSYSCFG) special authority required for APPC configuration commands 111 system library list (QSYSLIBL) system alue protecting 84 system message (QSYSMSG) message queue source for sample exit program 159 suggested use 92 system alue command for setting 41 introduction 8 printing security-releant 11, 37 QALWOBJRST (allow object restore) suggested use 84 alue set by CFGSYSSEC command 42 QAUDCTL (audit control) changing 35 displaying 35 QAUDLVL (audit leel) changing 35 displaying 35 QAUTOCFG (automatic configuration) recommended setting 26 alue set by CFGSYSSEC command 42 QAUTOVRT (automatic irtual-deice configuration) recommended setting 26 alue set by CFGSYSSEC command 42 QDEVRCYACN (deice recoery action) aoiding security exposure 116 recommended setting 26 alue set by CFGSYSSEC command 42 QDSCJOBITV (disconnected job time-out interal) recommended setting 26 alue set by CFGSYSSEC command 42 Index 179

system alue (continued) QDSPSGNINF (display sign-on information) recommended setting 26 alue set by CFGSYSSEC command 42 QINACTITV (inactie job time-out interal) recommended setting 26 alue set by CFGSYSSEC command 42 QINACTMSGQ (inactie job message queue) recommended setting 26 alue set by CFGSYSSEC command 42 QLMTSECOFR (limit security officer) recommended setting 26 alue set by CFGSYSSEC command 42 QMAXSGNACN (action when sign-on attempts reached) alue set by CFGSYSSEC command 42 QMAXSIGN (maximum sign-on attempts) recommended setting 26 alue set by CFGSYSSEC command 42 QPWDEXPITV (password expiration interal) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTAJC (password restrict adjacent characters) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTCHR (password restrict characters) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTREP (password limit repeated characters) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLMTREP (password require position difference) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDLVL (password leel) recommended setting 19 QPWDMAXLEN (password maximum length) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDMINLEN (password minimum length) recommended setting 19 alue set by CFGSYSSEC command 42 system alue (continued) QPWDRQDDGT (password require numeric character) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDRQDDIF (password required difference) recommended setting 19 alue set by CFGSYSSEC command 42 QPWDVLDPGM (password alidation program) recommended setting 19 source for sample exit program 159 using exit program 81 alue set by CFGSYSSEC command 42 QRETSVRSEC (Retain Serer Security Data) using for SLIP dial-out 128 QRMTSIGN (allow remote sign-on) affect of *FRCSIGNON alue 112 source for sample exit program 159 using exit program 81 alue set by CFGSYSSEC command 42 QSECURITY (security leel) description 7 alue set by CFGSYSSEC command 42 QSYSLIBL (system library list) protecting 84 QUSEADPAUT (use adopted authority) 79 Retain Serer Security Data (QRETSVRSEC) description 31 security setting 41 sign-on recommendations 26 System, Network File 106 System, QFileSr.400 File 105 System, Restricting Access to the QSYS.LIB File 103 System/36 file transfer restricting 53 System/38 (QSYS38) library restricting commands 53 Systems, Security for the Root (/), QOpenSys, and User-Defined Files 100 T target system definition 109 TCP/IP point-to-point (PPP) protocol security considerations 129 TCP/IP communications BOOTP (Bootstrap Protocol) restricting port 131 security tips 130 TCP/IP communications (continued) DHCP (dynamic host configuration protocol) restricting port 132 security tips 131 DNS (domain name system) restricting port 137 security tips 136 FTP (file transfer protocol) source for sample exit program 159 Internet Connection Secure Serer (ICSS) description 143 security tips 143 Internet Connection Serer (ICS) description 138 preenting autostart serer 138 security tips 138 LPD (line printer daemon) description 144 preenting autostart serer 144 restricting port 145 security tips 144 preenting entry 121 protecting port applications 123 restricting configuration files 123 exits 148 manager Internet address (INTNETADR) parameter 146 roaming 148 STRTCP command 121 REXECD (Remote EXECution serer) restricting port 135 security tips 135 RouteD (Route Daemon) security tips 136 SLIP (Serial Interface Line Protocol) controlling 125 description 125 securing dial in 126 securing dial-out 128 SNMP (simple network management protocol) preenting autostart serer 145 restricting port 146 security tips 145, 147 TFTP (triial file transfer protocol) restricting port 133 security tips 133 tips for securing 121 TFTP (triial file transfer protocol) restricting port 133 security tips 133 Trace Job (TRCJOB) command exit program 81 TRCJOB (Trace Job) command exit program 81 trigger program ealuating use 80 listing all 37 monitoring use 80 triial file transfer protocol (TFTP) restricting port 133 security tips 133 180 Tips and tools for securing your iseries serer V5R2

Trojan horse checking for 81 description 80 inheriting adopted authority 79 Trusting Signed Applets 162 U uid changing 107 unqualified call 84 uploading authority required 150 use adopted authority (QUSEADPAUT) system alue 79 use adopted authority (USEADPAUT) parameter 78 USEADPAUT (use adopted authority) parameter 78 user APPC job 111 user class analyzing assignment 37 mismatch with special authority 65 user enironment monitoring 65 user object in protected libraries 84 user profile analyzing by special authorities 37 by user class 37 analyzing with query 54 assigning for APPC job 113 auditing authorized users 54 checking for default password 34 default password 30 disabled (*DISABLED) status 30 disabling automatically 29 displaying expiration schedule 30 introduction 8 large, examining 55 list of permanently actie changing 34 listing inactie 55 selected 55 users with command capability 55 users with special authorities 55 menu access control 50 mismatched special authorities and user class 65 monitoring 85 monitoring enironment settings 65 monitoring special authorities 64 monitoring user class 65 preenting from being disabled 29 printing See also listing enironment 66 special authorities 64 processing inactie 29 remoing automatically 29 remoing inactie 29 user profile (continued) scheduling actiation 28 scheduling deactiation 28 scheduling expiration 29 User, Methods That the System Uses to Send Information about a 111 Using SSL with iseries Access Express 152 V alidation alue 76 erify encrypted password (*VFYENCPWD) alue 113, 117 erify object restore (QVFYOBJRST) system alue suggested use 84 irus definition 75 detecting 56 iseries serer protection mechanisms 76 protecting against 75 scanning 56 scanning for 76 irus-scan program 76 W well-known password changing 25 wireless communications 156 Wizard, Security 15 Work with Registration Information (WRKREGINF) command exit program 82 Work with Subsystem Description (WRKSBSD) command 87 workstation name entry security tips 88 workstation type entry security tips 88 WRKREGINF (Work with Registration Information) command exit program 82 WRKSBSD (Work with Subsystem Description) command 87 Index 181

182 Tips and tools for securing your iseries serer V5R2

Readers Comments We d Like to Hear from You iseries Tips and Tools for Securing Your iseries Version 5 Publication No. SC41-5300-06 Oerall, how satisfied are you with the information in this book? Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Oerall satisfaction h h h h h How satisfied are you that the information in this book is: Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Accurate h h h h h Complete h h h h h Easy to find h h h h h Easy to understand h h h h h Well organized h h h h h Applicable to your tasks h h h h h Please tell us how we can improe this book: Thank you for your responses. May we contact you? h Yes h No When you send comments to IBM, you grant IBM a nonexclusie right to use or distribute your comments in any way it beliees appropriate without incurring any obligation to you. Name Address Company or Organization Phone No.

Readers Comments We d Like to Hear from You SC41-5300-06 SC41-5300-06 Fold and Tape Please do not staple Fold and Tape BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM CORPORATION ATTN DEPT 542 IDCLERK 3605 Highway 52 N ROCHESTER MN 55901-7829 NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES Fold and Tape Please do not staple Fold and Tape Cut or Fold Along Line Cut or Fold Along Line

Printed in U.S.A. SC41-5300-06